Package: pkg-mozilla-archive-keyring Version: 1.2 Severity: wishlist Shipping /etc/apt/trusted.gpg.d/pkg-mozilla-archive-keyring.gpg makes it so that key is considered a valid signing key for all repositories on the system (including the main debian repo in the common default installation, unfortunately!)
It is safer to ship keyrings in /usr/share/keyrings/ and to supply a signed-by option for the apt sources that points to the specific key. This scopes the permissions of the key to a single repository. For more details, see: https://wiki.debian.org/DebianRepository/UseThirdParty Regards, --dkg -- System Information: Debian Release: buster/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Configuration Files: /etc/apt/trusted.gpg.d/pkg-mozilla-archive-keyring.gpg [Errno 2] No such file or directory: '/etc/apt/trusted.gpg.d/pkg-mozilla-archive-keyring.gpg' -- no debconf information
