Re: Facilitating external repositories
Hey, Wouter.
On 06/04/2015 12:18 PM, Wouter Verhelst wrote:
> Hi,
>
> At $DAYJOB, I'm maintaining a few repositories with ready-to-install
> packages for a number of distributions[1]
>
> Currently, the instructions[2] say to do the following:
> - Download and install an "eid-archive" package, which contains the GPG
> keys and generates a sources.list.d file for the repository;
> - Run "apt-get update";
> - Install the "eid-mw" and/or "eid-viewer" packages.
>
> This works, but it has a number of downsides:
> - The second step, "run apt-get update", is often overlooked; this seems
> to be the case especially for users of Ubuntu, where the default
> handler for installing packages is the "Software Center", a GUI
> software management tool that doesn't have any UI element for doing
> (the equivalent of) apt-get update
Huh... this is unfortunate. I can imagine a package that installs some
kind of one-time cronjob that will execute 'apt-get update' a minute
later, but I don't like the idea... I hope there's something better
available.
> - There is no trust path from your already-installed distribution to the
> "archive" package (yes, I did sign the gpg keys; no, I don't consider
> that enough).
Yeah unfortunately this is sort of a catch-22 problem... IMHO we want an
external archive key to be easily replaceable in case it's ever
compromised, yet we also want that same key to be "easily trust-able",
which takes time and several signatures of known keys to do... i.e. an
investment.
I recall the prior DPL wanting to support PPAs in Debian, and I would
imagine that this issue is one of the "sticking points" to that idea.
BTW does the 'debian-keyring' package exist on Ubuntu and Mint? If so I
could imagine that your eid-archive package could have a pre-depends on
debian-keyring and check that GPG keys installed by eid-archive are
signed by a DD or DM. As the debian-keyring package would come from the
main archive, that would at least have a trust path to the signing key
of the main distribution repository.
That's what I can think of at the moment anyway.
-- Chris
--
Chris Knadle
Chris.Knadle@coredump.us
Reply to: