On Tue, 2 Sep 2025 14:01:42 +0200 Roland Clobus <rclo...@rclobus.nl> wrote:
> Hello list, > > Just before trixie was released, the warning about the deb822 format > for sources.list was removed, now is the time to implement it > properly for forky. > > Recently a MR was prepared for live-build [1] (the generator of the > live images), which makes me think about the 'Signed-By' field. > > Should this field be filled explicitly with the value > '/usr/share/keyrings/debian-archive-keyring.gpg', or better not? > > As I understand it [2]: > "If no keyring files are specified the default is the trusted.gpg > keyring and all keyrings in the trusted.gpg.d/ directory" > > So the most secure variant would be to fill the field, as only one > keyring will be considered. The PR (which I filed) is currently using "Signed-By" in most places (I believe everywhere it's reasonably possible to use it) mainly because I notice apt complains (gently) if it's missing, with the message "Notice: Missing Signed-By in the sources.list(5) entry for 'http://deb.debian.org/debian'" or similar. While not critical, I found these messages to be unsightly and they seemed to hint that including Signed-By was a good idea, so I included it just to be sure. -- Aaron > With kind regards, > Roland Clobus > Maintainer for the live images > > [1] https://salsa.debian.org/live-team/live-build/-/merge_requests/436 > [2] https://manpages.debian.org/trixie/apt/sources.list.5.en.html
pgpZJEO7kche8.pgp
Description: OpenPGP digital signature
