On Wed, 31 Dec 2008 14:59:11 +0100 Luk Claes <luk@debian.org> wrote: > Neil Williams wrote: > > When the Lenny freeze started, I wasn't in any position to consider an > > Emdebian release based on Lenny, I was expecting to get the tools into > > Lenny and release with Squeeze. However, the delays to Lenny have meant > > that Emdebian is almost ready (as close as Debian at any rate) to a > > dual release alongside Lenny: > > > Grip can use the standard Debian Installer images for the available > > architectures - all that is needed is a change in the choice of mirror, > > either manually or via preseeding. The problem is that the emdebian > > archive keyring is not available to the Lenny d-i because that uses > > only debian-archive-keyring, which is maintained by debian-release. > > > I have prepared an emdebian-archive-keyring-udeb package if that is > > helpful - it currently Conflicts: with and Provides: > > debian-archive-keyring-udeb and consists of the d-a-k-udeb plus the > > emdebian key. > > Would providing a debian-archive-kerying package (including the emdebian > key) in the emdebian archive not be sufficient (with a higher version > than the one in the Debian archive)? AFAICT, only if all the ISO's are rebuilt with the higher version of debian-archive-keyring (or equivalent) pre-installed inside. It's a problem of where the key lives - debootstrap needs to have the key in an archive that it can already trust before it can use the key to trust an archive signed by that key. Putting the Emdebian key behind a repository signed by a key not already in debian-archive-keyring doesn't help. The Emdebian key is currently available in a Debian package which means that the Emdebian key is (indirectly) verified by the current version of debian-archive-keyring. Direct verification requires installation of the package from Debian or inclusion of the Emdebian key into the debian-archive-keyring package, either in the Debian mirrors or in d-i via the -udeb. Putting either emdebian-archive-keyring or debian-archive-keyring (with the emdebian key added) into the Emdebian archive means that debootstrap has to first verify the Emdebian archive before being able to upgrade debian-archive-keyring to the version that provides the key to verify the Emdebian archive. Chicken and egg. The options, as I see them (and in no particular order or preference), are: 1. Make the Emdebian key part of the debian-archive-keyring within all of Debian so that all Debian ISO's and all Lenny installations have the Emdebian key available, (making the current emdebian-archive-keyring package redundant in the process), or 2. Bring the Emdebian repository/server under the control of debian-release so that the repository can be signed by a key already in debian-archive-keyring, dropping the current Emdebian key completely, or 2a. Bring *a copy of the* Emdebian Grip repository under the control of debian-release so that it can be signed by a key already in debian-archive-keyring, or 3. Only put the Emdebian key into *udeb* (debian-archive-keyring-udeb) in Debian Lenny so that once the D-I images are updated for the final release, only the installer can verify the Emdebian archive - this means that the installed systems have no Emdebian keys installed unless the user subsequently chooses to install the relevant package from Debian. This change has no effect *unless* the installation is pre-seeded to use the Emdebian archive or the user deliberately enters the full Emdebian archive details into the relevant installation prompts, or 4. Create a hook in d-i that tries to get the emdebian-archive-keyring package from a Debian Lenny mirror if the user selects the Emdebian archive during the install - not sure how that could be done without causing yet more translation grief for Christian and work for d-i, or 5. Leave me to rebuild every ISO to add a single 2kb file. Options 1 and 2 are roughly equivalent. Options 4 and 5 probably involve the most work - for d-i with option 4, for me with option 5. I realise Option 3 means that the installer will allow installs from archives that are not under the direct control of debian-release but it would only do so under direct instructions from the user. The process would be documented only on www.emdebian.org. The Emdebian Grip repository (http://buildd.emdebian.org/grip unstable main) (http://www.emdebian.org/grip/dists/unstable/main/) is quite small; Option 2a would make it semi-official. Whilst it is one of my objectives to get Emdebian accepted as an official Debian install in time for Squeeze, I'm not sure that the packages based on Lenny are quite ready for an "official Debian" tag. Is there any chance for Option 3, just changing the udeb in Lenny? -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
Attachment:
pgpXl3iPJErLp.pgp
Description: PGP signature