Bug#457899: RFP: ubuntu-archive-keyring -- GnuPG keys of the Ubuntu archive
Hi,
Dererk <dererk@debian.org> writes:
> For what I see, I think this represents more like a serious security
> breach for the Debian Project adopting a third-party keyring, than to
> perform this very special task by hand in the very limited scenarios
> this could be necessary.
How is this different from including debian-edu-archive-keyring,
debian-ports-archive-keyring and emdebian-archive-keyring? As far as I
know none of those archives are maintained on the official Debian
infrastructure.
As this is just distributing a public key (I don't think there is a need
to run apt-key automatically for the Ubuntu keyrings), it is not even
that different from all the public SSL keys that we ship.
It only makes it easier for users to establish a chain of trust to the
keyring (when you trust Debian and the maintainer of the package). For
this reason the maintainer should of course ideally be someone who can
verify the integrity of the key without relying on others.
Regards,
Ansgar
Reply to: