[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Emdebian archive key for Lenny

On Wed, 31 Dec 2008 14:59:11 +0100
Luk Claes <luk@debian.org> wrote:

> Neil Williams wrote:
> > When the Lenny freeze started, I wasn't in any position to consider an
> > Emdebian release based on Lenny, I was expecting to get the tools into
> > Lenny and release with Squeeze. However, the delays to Lenny have meant
> > that Emdebian is almost ready (as close as Debian at any rate) to a
> > dual release alongside Lenny:
> > Grip can use the standard Debian Installer images for the available
> > architectures - all that is needed is a change in the choice of mirror,
> > either manually or via preseeding. The problem is that the emdebian
> > archive keyring is not available to the Lenny d-i because that uses
> > only debian-archive-keyring, which is maintained by debian-release.
> > I have prepared an emdebian-archive-keyring-udeb package if that is
> > helpful - it currently Conflicts: with and Provides:
> > debian-archive-keyring-udeb and consists of the d-a-k-udeb plus the
> > emdebian key.
> Would providing a debian-archive-kerying package (including the emdebian
> key) in the emdebian archive not be sufficient (with a higher version
> than the one in the Debian archive)?

AFAICT, only if all the ISO's are rebuilt with the higher version of
debian-archive-keyring (or equivalent) pre-installed inside.

It's a problem of where the key lives - debootstrap needs to have the
key in an archive that it can already trust before it can use the key
to trust an archive signed by that key. Putting the Emdebian key behind
a repository signed by a key not already in debian-archive-keyring
doesn't help.

The Emdebian key is currently available in a Debian package which means
that the Emdebian key is (indirectly) verified by the current version
of debian-archive-keyring. Direct verification requires installation of
the package from Debian or inclusion of the Emdebian key into the
debian-archive-keyring package, either in the Debian mirrors or in d-i
via the -udeb.

Putting either emdebian-archive-keyring or debian-archive-keyring (with
the emdebian key added) into the Emdebian archive means that
debootstrap has to first verify the Emdebian archive before being able
to upgrade debian-archive-keyring to the version that provides the key
to verify the Emdebian archive.

Chicken and egg.

The options, as I see them (and in no particular order or preference),

1. Make the Emdebian key part of the debian-archive-keyring within
all of Debian so that all Debian ISO's and all Lenny installations have
the Emdebian key available, (making the current
emdebian-archive-keyring package redundant in the process), or

2. Bring the Emdebian repository/server under the control of
debian-release so that the repository can be signed by a key already in
debian-archive-keyring, dropping the current Emdebian key completely, or

2a. Bring *a copy of the* Emdebian Grip repository under the control of
debian-release so that it can be signed by a key already in
debian-archive-keyring, or

3. Only put the Emdebian key into *udeb* (debian-archive-keyring-udeb)
in Debian Lenny so that once the D-I images are updated for the final
release, only the installer can verify the Emdebian archive - this
means that the installed systems have no Emdebian keys installed unless
the user subsequently chooses to install the relevant package from
Debian. This change has no effect *unless* the installation is
pre-seeded to use the Emdebian archive or the user deliberately enters
the full Emdebian archive details into the relevant installation
prompts, or

4. Create a hook in d-i that tries to get the emdebian-archive-keyring
package from a Debian Lenny mirror if the user selects the Emdebian
archive during the install - not sure how that could be done without
causing yet more translation grief for Christian and work for d-i, or

5. Leave me to rebuild every ISO to add a single 2kb file.

Options 1 and 2 are roughly equivalent.

Options 4 and 5 probably involve the most work - for d-i with option 4,
for me with option 5.

I realise Option 3 means that the installer will allow installs from
archives that are not under the direct control of debian-release but it
would only do so under direct instructions from the user. The process
would be documented only on www.emdebian.org.

The Emdebian Grip repository (http://buildd.emdebian.org/grip
unstable main) (http://www.emdebian.org/grip/dists/unstable/main/) is
quite small; Option 2a would make it semi-official. Whilst it is one of
my objectives to get Emdebian accepted as an official Debian install in
time for Squeeze, I'm not sure that the packages based on Lenny are
quite ready for an "official Debian" tag.

Is there any chance for Option 3, just changing the udeb in Lenny?


Neil Williams

Attachment: pgpqFNF84WnHO.pgp
Description: PGP signature

Reply to: