[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gpg keyrings.

Julian Gilbey <J.D.Gilbey@qmw.ac.uk> writes:

> (1) It could be documented on http://keyring.debian.org/

I'm sure it could...[0]

> (2) I wouldn't have thought of using anonymous rsync either

Err, and?  Look, it's very simple: 

a) anonymous good, automated access to an allegedly secure account bad.
b) debian's keyrings rsync _very very well_[1].

> (3) I don't yet have much idea how debsig-verify works, but if it
>     uses [...]

I really couldn't care much less about debsig-verify right now
(especially after the recent dpkg SNAFU), but if it requires an
uptodate keyring package then it is IMNSHO broken.

The canonical source for the debian keyring _is_[2] kerying.debian.org
(via anon-rsync); period.  The package is a convenience, nothing
more[3].

-- 
James

[0] Stuff tends to get put there in the same way that the key server
    got there; i.e. someone useful actually did the work rather than
    complaining the work wasn't being done.

[1] Small isolated changes to large (relatively) files.

[2] The only possible other contender for this claim is
    /debian/doc/debian-keyring.tar.gz (on f.d.o or mirrors) which is
    the historical canonical location (and predates the packaging by
    several years at least).

[3] Matthew guessed pretty accurately as to why it's irregularly
    updated.
Reply to: