Package: apt Version: 1.8.4 Severity: normal Hallo Ansgar, 04.11.19 09:44 Ansgar: > Paul Wise writes: > > On Mon, Nov 4, 2019 at 4:52 AM Guillem Jover <guillem@debian.org> wrote: > >> The official archive-keyring packages that use these, I think it's mostly > >> for backwards compatibility reasons. > > > > I wonder if it is feasible to and how the debian-archive-keyring could > > migrate from /etc/apt/trusted.gpg.d/ to /usr/share/keyrings/ + > > signed-by. Right now it ships keyrings in both places. > > I would recommend against doing this as long as sources.list is a > configuration file: it would need regular updates to change to the new > signing key. That doesn't work out of the box. Maybe apt could deprecate /etc/apt/trusted* and apt-key(8) in bullseye and abandon them in bullseye+1. The whole concept of having one keyring that authenticated all sources is wrong. I had my share in making /etc/apt/ trusted.d possible, but now that we have "Signed-By:" it is the inferior solution and thus not needed anymore. d-i should start to create sources.list with "Signed-By:" right now, #944102 [1]. apt or debian-archive-keyring could provide a migration script for sources.list entries without "Signed-By:" which could — at least for origin=Debian — add the correct "Signed-By:" option. Grüße Timo [1] https://bugs.debian.org/944102
Attachment:
signature.asc
Description: This is a digitally signed message part.