On Thu 2018-05-17 15:37:55 +0000, Fiedler Roman wrote: > Von: Daniel Kahn Gillmor [mailto:d...@fifthhorseman.net] > >> See sources.list(5) and >> https://wiki.debian.org/DebianRepository/UseThirdParty for more details. >> >> See also https://bugs.debian.org/877012 for suggestions about >> improvements to scoped cryptographic authorities for the default >> installation of debian repositories. > > Thanks for the information. I thought, that the new model would be > using "/etc/apt/trusted.gpg.d", as recommended by an online version of > "apt-key".
I recommend not relying directly on apt-key, whether online or offline :) > But of course the per-repository pinning of keys could make key > management easier as there is a n:1 link between repositories and > keys, thus it is easier to avoid stale keys in the common key storage > file. yes. furthermore, per-repository pinning of keys avoids the possibility of one repository owner signing a Release file for a different repository. This paves the way for a local administrator to put meaningful constraints on a given external repository (e.g. pinning which packages can be shipped from that repo, or restricting maintainer scripts from running). I welcome any and all help in continuing to drive the ecosystem down this path. Regards, --dkg
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users