Re: third-party packages adding apt sources

To: debian-project@lists.debian.org
Subject: Re: third-party packages adding apt sources
From: Charles Plessy <plessy@debian.org>
Date: Sat, 21 May 2016 12:47:26 +0900
Message-id: <[🔎] 20160521034726.GE6475@falafel.plessy.net>
In-reply-to: <[🔎] 573DD944.3010208@pocock.pro>
References: <[🔎] 573DD944.3010208@pocock.pro>

Hi Daniel,

Le Thu, May 19, 2016 at 05:18:28PM +0200, Daniel Pocock a écrit :
> 
> From a technical perspective, can we do more to prevent users being
> surprised by packages putting new entries in /etc/apt/sources.list.d?

maybe you are looking for an Apt option that would only install a package if it
comes from repository signed with a key that itself is signed by a trusted key ?

This way, from inside or outside Debian, chains of trust could be used to
certify the compliance of third-party repositories with good practices, or
other rules.

As suggested in this thread, dpkg triggers or other kinds of hooks could check
that packages installed directly without Apt would not change the trust keys
without the user being aware of this.

Have a nice day,

-- 
Charles Plessy
Tsurumi, Kanagawa, Japan

Reply to:

References:
- third-party packages adding apt sources
  - From: Daniel Pocock <daniel@pocock.pro>

Prev by Date: Re: Bits from the DPL -- April-May 2016
Next by Date: Re: third-party packages adding apt sources
Previous by thread: Re: third-party packages adding apt sources
Next by thread: Re: third-party packages adding apt sources
Index(es):
- Date
- Thread