On Thu 2018-05-17 15:37:55 +0000, Fiedler Roman wrote: > Von: Daniel Kahn Gillmor [mailto:d...@fifthhorseman.net] > >> See sources.list(5) and >> https://wiki.debian.org/DebianRepository/UseThirdParty for more details. >> >> See also https://bugs.debian.org/877012 for suggestions about >> improvements to scoped cryptographic authorities for the default >> installation of debian repositories. > > Thanks for the information. I thought, that the new model would be > using "/etc/apt/trusted.gpg.d", as recommended by an online version of > "apt-key".
I recommend not relying directly on apt-key, whether online or offline :)
> But of course the per-repository pinning of keys could make key
> management easier as there is a n:1 link between repositories and
> keys, thus it is easier to avoid stale keys in the common key storage
> file.
yes. furthermore, per-repository pinning of keys avoids the possibility
of one repository owner signing a Release file for a different
repository. This paves the way for a local administrator to put
meaningful constraints on a given external repository (e.g. pinning
which packages can be shipped from that repo, or restricting maintainer
scripts from running).
I welcome any and all help in continuing to drive the ecosystem down
this path.
Regards,
--dkg
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
