Bug#457899: RFP: ubuntu-archive-keyring -- GnuPG keys of the Ubuntu archive
Hi,
On Fri, 06 Aug 2010 11:36:51 +0900
Ansgar Burchardt <ansgar@43-1.org> wrote:
> Dererk <dererk@debian.org> writes:
>
> > For what I see, I think this represents more like a serious security
> > breach for the Debian Project adopting a third-party keyring, than to
> > perform this very special task by hand in the very limited scenarios
> > this could be necessary.
>
> How is this different from including debian-edu-archive-keyring,
> debian-ports-archive-keyring and emdebian-archive-keyring? As far as I
> know none of those archives are maintained on the official Debian
> infrastructure.
I agree with Ansgar said. There's some non-debian-official keyring in
Debian repository now. And I couldn't see any security breach for Debian
by adopting a third-party keyring as a package.
- Is there security breach? If so, how?
+ non-Debian-official third party keyring packages are already in repo.
+ third party keyring package is not installed by default. Only developers
who want to use it would use. If there's security risk, it's limited.
------------------------------------------------------------------------------
Pros)
- Debian developers can test in Ubuntu environment
It makes porting from/checking bug fix in Ubuntu easier.
+ It will help Ubuntu, and making difference small is also benefit for Debian.
Cons)
- we should put & (also) maintain Ubuntu-archive-keyring package
- Security breach? (don't know its impact)
Thought?
--
Regards,
Hideki Yamane henrich @ debian.or.jp/org
http://wiki.debian.org/HidekiYamane
Reply to: