On Tue, 22 Dec 2009 13:29:44 -0500 Daniel Kahn Gillmor <[email protected]> wrote:
> On 12/22/2009 01:13 PM, Neil Williams wrote: > > What tools are you talking about, specifically? > > I ran into this issue today looking into making a debirf image based > on emdebian. debirf passes the --keyring parameter to debootstrap > where possible. multistrap was written to make that whole process easier - it simply uses the keyring via apt-key. There is no need for /usr/share/keyrings/ > > Mixing Emdebian packages with Debian or Ubuntu is not a good idea, > > generally. Only Emdebian Grip has this kind of support. Emdebian > > Crush and Emdebian Grip use the same keyring - the only way to tell > > the difference is via dpkg --vendor queries. > > understood, and my goal was not to combine emdebian packages with > ubuntu or debian packages in the same system. the goal was to make > sure that debootstrap-style tools could find the appropriate keyring > to build a clean chroot securely. See multistrap. There is no guarantee that Emdebian packages will work with debootstrap. emdebian-rootfs provides a debootstrap replacement (because debootstrap itself doesn't understand Emdebian Crush) and Emdebian Grip is best utilised via multistrap, not debootstrap. I'm not sure now whether it is wise to *have* the emdebian key in /usr/share/keyrings - it might give the wrong impression. Remember: debootstrap is horribly incomplete for embedded use and is only truly capable of making a (poor) chroot that is too biased towards a full size desktop or server installation. Emdebian Grip and Crush need a custom installer that can make a bootable filesystem without needing to boot the device itself (as D-I requires) to copy the files over. Only debootstrap uses the keyring files in /usr/share/keyrings and even then, not as default. multistrap uses the apt keyring which is set up via the postinst. The only reason debootstrap does this is for D-I usage where dpkg and apt cannot be assumed to exist. Emdebian does not provide a version of D-I or anything like it. Instead D-I is used to provide a base install which is then migrated to Emdebian Grip. I'm no longer sure I want to have a keyring in /usr/share/keyrings - I'm not sure it is helpful. The more I hear about what you're trying to do, the more I think I'll revert the change and close this bug as wontfix. This is why I didn't put the keyring in /usr/share/keyrings in the first place, now I think about it. -- Neil Williams ============= http://www.data-freedom.org/ http://www.linux.codehelp.co.uk/ http://e-mail.is-not-s.ms/
pgpugGprQedMF.pgp
Description: PGP signature
