[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#968148: /usr/bin/apt-key: Suggestion for manpage and Warning



On Tue, Feb 02, 2021 at 02:02:42PM +0000, Julian Gilbey wrote:
> On Tue, Feb 02, 2021 at 10:53:03AM +0100, David Kalnischkies wrote:
> > Hi,
> > 
> > On Mon, Feb 01, 2021 at 12:42:01PM +0000, Julian Gilbey wrote:
> > > I just stumbled upon an "Ask Ubuntu" discussion, which has a very
> > > clear explanation of (at least some of) the reasons for the
> > > deprecation of apt-key and what to do instead:
> > > https://askubuntu.com/questions/1286545/what-commands-exactly-should-replace-the-deprecated-apt-key/1300076#1300076
> > > 
> > > Logging it here in the hope that it will be of use to others.
> > 
> > It's Julian (juliank) who runs this deprecation and I have close to zero
> > interest in third party repositories, so I do not want to bud in on
> > these BUT that linked accepted answer is really not a good answer…
> > at least scroll a bit down and read the others if you really must.
> > 
> > [... detailed comments and ideas snipped ...]
> > 
> > Best regards
> > 
> > David Kalnischkies
> 
> Hi David,
> 
> That's really helpful, thanks!
> 
> What seems to come from your answer is that there is no "canonical"
> way to do it.  But in the absence of guidance, each person setting up
> their own repository will do it in their own way.  I had no idea of
> the potential dangers of the /etc/apt/trusted.gpg.d directory, for
> example, though I'm not sure that using signed-by is necessarily
> better.
> 
> What would be helpful, and what this whole thread is essentially
> about, is a request for the apt maintainers, who really know the
> architecture of the apt system and are probably the best-placed to
> give this guidance, to provide some "official" guidelines as to best
> practice in the apt packages.  From your message, it seems as though
> there are actually two distinct audiences: repository maintainers and
> sysadmins.

Best practice will be to embed the key into a deb822 sources file, but
that's for bookworm+ and doesn't help much yet.

As of now, there are no best practices. I just drop files into
trusted.gpg.d, others drop them into /usr/[local/]share/keyrings and use
signed-by.

Hence I don't want to commit to anything too concrete yet, either way.

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en


Reply to: