On Tue, 22 Dec 2009 14:23:33 -0500 Daniel Kahn Gillmor <[email protected]> wrote:
> On 12/22/2009 02:03 PM, Neil Williams wrote: > > multistrap was written to make that whole process easier - it simply > > uses the keyring via apt-key. There is no need > > for /usr/share/keyrings/ > > interesting, i didn't know about multistrap. using the system keyring > from apt-key might not make sense, if the goal is to build a target > device that pulls from an entirely different repository than the host > uses, though. The key is used to download the packages using the system apt and using customised options to apt, in download-only mode. The key is also used to copy into the chroot so that running dpkg --configure -a adds the key to apt-key. multistrap simply uses apt to handle dependencies and proxies etc. instead of using wget directly. This way, multistrap is quite happy to work with foreign architectures (the original purpose of writing multistrap was explicitly for foreign architectures, avoiding various inherent limitations within debootstrap). The keyrings used by the final device are handled via options in the multistrap configuration, independently of the system config. > or am i misunderstanding what you mean by "the keyring via apt-key" ? apt-key doesn't use /usr/share/keyrings either, it uses /etc/apt/ which isn't accessible directly, only via apt-key, hence the postinst. > > I'm not sure now whether it is wise to *have* the emdebian key > > in /usr/share/keyrings - it might give the wrong impression. > > what impression are you concerned that you'll make? That debootstrap is a suitable tool for use with Emdebian, that is not necessarily true. debootstrap has the wrong focus. > are you aware > that many other keyrings can be placed there (including the keyring > for all DDs, and the DM keyring) that have nothing to do with apt > repositories at all? i don't know of any policy about it, but it > seems to be the main location for packages to install keyrings that > might be needed by other processes the system in general. emdebian-archive-keyring isn't intended to be useful to the system in general, it's there for Emdebian support. No other packages or tools are expected to use it. > > Remember: debootstrap is horribly incomplete for embedded use and is > > only truly capable of making a (poor) chroot that is too biased > > towards a full size desktop or server installation. Emdebian Grip > > and Crush need a custom installer that can make a bootable > > filesystem without needing to boot the device itself (as D-I > > requires) to copy the files over. > > well, i can't remember this right now because i didn't know it before. > but i'll remember it in the future ;) and i'll learn about multistrap > to see if it's something we should be using in debirf instead. > > > I'm no longer sure I want to have a keyring in /usr/share/keyrings - > > I'm not sure it is helpful. The more I hear about what you're > > trying to do, the more I think I'll revert the change and close > > this bug as wontfix. This is why I didn't put the keyring > > in /usr/share/keyrings in the first place, now I think about it. > > i'm not sure i think that's a good argument for putting a keyring in > an unusual location, when it might be handy for other tools to find > it, given the various types of keyrings that are placed > in /usr/share/keyrings. That's the point, I'm not sure that it is worth making it easy for tools that don't understand Emdebian to be able to find the emdebian archive keyring. Emdebian Grip will probably work but Emdebian Crush is full of assumptions that break the debootstrap model (there's no perl or coreutils in Crush). Both use the same key. -- Neil Williams ============= http://www.data-freedom.org/ http://www.linux.codehelp.co.uk/ http://e-mail.is-not-s.ms/
pgpR9MVIAndGe.pgp
Description: PGP signature
