Re: Facilitating external repositories

To: debian-devel@lists.debian.org
Subject: Re: Facilitating external repositories
From: Chris Knadle <Chris.Knadle@coredump.us>
Date: Sat, 06 Jun 2015 23:49:21 -0400
Message-id: <[🔎] 5573BF41.8040300@coredump.us>
In-reply-to: <[🔎] 20150604161816.GD10941@grep.be>
References: <[🔎] 20150604161816.GD10941@grep.be>

Hey, Wouter.

On 06/04/2015 12:18 PM, Wouter Verhelst wrote:
> Hi,
> 
> At $DAYJOB, I'm maintaining a few repositories with ready-to-install
> packages for a number of distributions[1]
> 
> Currently, the instructions[2] say to do the following:
> - Download and install an "eid-archive" package, which contains the GPG
>   keys and generates a sources.list.d file for the repository;
> - Run "apt-get update";
> - Install the "eid-mw" and/or "eid-viewer" packages.
> 
> This works, but it has a number of downsides:
> - The second step, "run apt-get update", is often overlooked; this seems
>   to be the case especially for users of Ubuntu, where the default
>   handler for installing packages is the "Software Center", a GUI
>   software management tool that doesn't have any UI element for doing
>   (the equivalent of) apt-get update

Huh... this is unfortunate.  I can imagine a package that installs some
kind of one-time cronjob that will execute 'apt-get update' a minute
later, but I don't like the idea... I hope there's something better
available.

> - There is no trust path from your already-installed distribution to the
>   "archive" package (yes, I did sign the gpg keys; no, I don't consider
>   that enough).

Yeah unfortunately this is sort of a catch-22 problem... IMHO we want an
external archive key to be easily replaceable in case it's ever
compromised, yet we also want that same key to be "easily trust-able",
which takes time and several signatures of known keys to do... i.e. an
investment.

I recall the prior DPL wanting to support PPAs in Debian, and I would
imagine that this issue is one of the "sticking points" to that idea.

BTW does the 'debian-keyring' package exist on Ubuntu and Mint?  If so I
could imagine that your eid-archive package could have a pre-depends on
debian-keyring and check that GPG keys installed by eid-archive are
signed by a DD or DM.  As the debian-keyring package would come from the
main archive, that would at least have a trust path to the signing key
of the main distribution repository.

That's what I can think of at the moment anyway.

   -- Chris

-- 
Chris Knadle
Chris.Knadle@coredump.us

Reply to:

Follow-Ups:
- Re: Facilitating external repositories
  - From: Paul Wise <pabs@debian.org>
- Re: Facilitating external repositories
  - From: Wouter Verhelst <wouter@debian.org>

References:
- Facilitating external repositories
  - From: Wouter Verhelst <wouter@debian.org>

Prev by Date: Re: Facilitating external repositories
Next by Date: Re: Facilitating external repositories
Previous by thread: Re: Facilitating external repositories
Next by thread: Re: Facilitating external repositories
Index(es):
- Date
- Thread