Bug#861695: debian-archive-keyring: Please ship release-specific keys separately outside of /etc/apt/trusted.gpg.d/
On Wed, 27 Sep 2017 11:45:59 -0400 Daniel Kahn Gillmorwrote: > On Fri 2017-05-26 11:42:06 -0400, Daniel Kahn Gillmor wrote: > > On Thu 2017-05-25 19:35:42 +0100, Adam D. Barratt wrote: > >> After a little discussion during last night's team meeting, I'm afraid > >> that the consensus appears to be that at this stage of the freeze we > >> shouldn't be making changes that aren't directly related to updating the > >> set of trusted keys. > > > > well, i hope we can work something out for buster. > > Just a ping on this: can we start with having debian-archive-keyring > ship a copy of the keys as individual keys in /usr/share/keyrings/ ? > > even if it leaves the keys in /etc/apt/trusted.gpg.d for now, that'd > make it possible for a local administrator to run a tightly-administered > system with normal updates to debian-archive-keyring while we figure out > the next steps toward making this even easier. > > My longer-term target would be for a new install of buster to have an > empty /etc/apt/trusted.gpg* , but i figure it'll be easier to get there > one step at a time :) > >--dkg Hi Daniel, This has been in experimental for a while; have you had a change to test that if works as intended? Thanks, ~Niels
Bug#861695: debian-archive-keyring: Please ship release-specific keys separately outside of /etc/apt/trusted.gpg.d/
On Fri 2017-05-26 11:42:06 -0400, Daniel Kahn Gillmor wrote: > On Thu 2017-05-25 19:35:42 +0100, Adam D. Barratt wrote: >> After a little discussion during last night's team meeting, I'm afraid >> that the consensus appears to be that at this stage of the freeze we >> shouldn't be making changes that aren't directly related to updating the >> set of trusted keys. > > well, i hope we can work something out for buster. Just a ping on this: can we start with having debian-archive-keyring ship a copy of the keys as individual keys in /usr/share/keyrings/ ? even if it leaves the keys in /etc/apt/trusted.gpg.d for now, that'd make it possible for a local administrator to run a tightly-administered system with normal updates to debian-archive-keyring while we figure out the next steps toward making this even easier. My longer-term target would be for a new install of buster to have an empty /etc/apt/trusted.gpg* , but i figure it'll be easier to get there one step at a time :) --dkg signature.asc Description: PGP signature
Bug#861695: debian-archive-keyring: Please ship release-specific keys separately outside of /etc/apt/trusted.gpg.d/
On Thu 2017-05-25 19:35:42 +0100, Adam D. Barratt wrote: > On Tue, 2017-05-02 at 18:06 -0400, Daniel Kahn Gillmor wrote: >> On Tue 2017-05-02 21:48:35 +0100, Adam D. Barratt wrote: >> > It's quite late in the day to be making larger-scale changes to the >> > package. >> >> agreed, in terms of stretch. >> >> > To clarify, are you suggesting shipping the separated files >> > in /u/s/keyrings /as well as/ /etc/apt/trusted.gpg.d, or /instead of/ >> > the existing location? >> >> for stretch, i think it'd need to be *as well as*, just because i don't >> want to break existing usage. > > Apologies for taking a little while to get back to you again. > > After a little discussion during last night's team meeting, I'm afraid > that the consensus appears to be that at this stage of the freeze we > shouldn't be making changes that aren't directly related to updating the > set of trusted keys. well, i hope we can work something out for buster. It's a bummer, because that means that instructions for making a locked-down system for stretch and instructions for doing the same for buster will vary more than they'd otherwise need to. Please let me know how you think we should proceed post-stretch! Ah well, --dkg
Bug#861695: debian-archive-keyring: Please ship release-specific keys separately outside of /etc/apt/trusted.gpg.d/
On Tue, 2017-05-02 at 18:06 -0400, Daniel Kahn Gillmor wrote: > On Tue 2017-05-02 21:48:35 +0100, Adam D. Barratt wrote: > > It's quite late in the day to be making larger-scale changes to the > > package. > > agreed, in terms of stretch. > > > To clarify, are you suggesting shipping the separated files > > in /u/s/keyrings /as well as/ /etc/apt/trusted.gpg.d, or /instead of/ > > the existing location? > > for stretch, i think it'd need to be *as well as*, just because i don't > want to break existing usage. Apologies for taking a little while to get back to you again. After a little discussion during last night's team meeting, I'm afraid that the consensus appears to be that at this stage of the freeze we shouldn't be making changes that aren't directly related to updating the set of trusted keys. Regards, Adam
Bug#861695: debian-archive-keyring: Please ship release-specific keys separately outside of /etc/apt/trusted.gpg.d/
On Tue 2017-05-02 21:48:35 +0100, Adam D. Barratt wrote: > It's quite late in the day to be making larger-scale changes to the > package. agreed, in terms of stretch. > To clarify, are you suggesting shipping the separated files > in /u/s/keyrings /as well as/ /etc/apt/trusted.gpg.d, or /instead of/ > the existing location? for stretch, i think it'd need to be *as well as*, just because i don't want to break existing usage. for future versions of debian, we should think about how to deploy a debian system installation where all sources.list entries have a [signed-by=] option, where nothing is installed in /etc/apt/trusted.gpg.d/ at all. And transitioning a pre-existing debian machine to a scoped-authentication apt configuration would be an even harder task, certainly not something for stretch. --dkg
Bug#861695: debian-archive-keyring: Please ship release-specific keys separately outside of /etc/apt/trusted.gpg.d/
On Tue, 2017-05-02 at 16:18 -0400, Daniel Kahn Gillmor wrote: > With the upcoming release of stretch, we now have the ability to run a > functional debian system with nothing in /etc/apt/trusted.gpg.d or > /etc/apt/trusted.gpg at all, thanks to the "signed-by" option > documented in sources.list(5). > > I'd prefer to document the signing key for each repository explicitly > in my sources.list file, rather than have globally-authorized signing > keys in /etc/apt/trusted.gpg*. This lets me more narrowly tailor > which keys are authorized to provide which archives. [...] > However, debian-archive-keyring ships the keys broken out into > separate locations only in /etc/apt/trusted.gpg.d/*.gpg, and in > /usr/share/keyrings it only includes the bulk collection. > > It would be great if debian-archive-keyring made it possible to avoid > placing anything in /etc/apt/trusted.gpg.d while maintaining the > disaggregated files in /usr/share/keyrings/ It's quite late in the day to be making larger-scale changes to the package. To clarify, are you suggesting shipping the separated files in /u/s/keyrings /as well as/ /etc/apt/trusted.gpg.d, or /instead of/ the existing location? Regards, Adam
Bug#861695: debian-archive-keyring: Please ship release-specific keys separately outside of /etc/apt/trusted.gpg.d/
Package: debian-archive-keyring Version: 2014.3 Severity: normal Hi there! With the upcoming release of stretch, we now have the ability to run a functional debian system with nothing in /etc/apt/trusted.gpg.d or /etc/apt/trusted.gpg at all, thanks to the "signed-by" option documented in sources.list(5). I'd prefer to document the signing key for each repository explicitly in my sources.list file, rather than have globally-authorized signing keys in /etc/apt/trusted.gpg*. This lets me more narrowly tailor which keys are authorized to provide which archives. For example: deb [signed-by=/usr/share/keyrings/debian-archive-stretch-stable.gpg] http://ftp.debian.org/debian stretch main non-free contrib However, debian-archive-keyring ships the keys broken out into separate locations only in /etc/apt/trusted.gpg.d/*.gpg, and in /usr/share/keyrings it only includes the bulk collection. It would be great if debian-archive-keyring made it possible to avoid placing anything in /etc/apt/trusted.gpg.d while maintaining the disaggregated files in /usr/share/keyrings/ --dkg -- System Information: Debian Release: 9.0 Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages debian-archive-keyring depends on: ii gpgv 2.1.18-7 Versions of packages debian-archive-keyring recommends: ii gnupg 2.1.18-7 debian-archive-keyring suggests no packages. -- Configuration Files: /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg [Errno 2] No such file or directory: '/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg' /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg [Errno 2] No such file or directory: '/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg' /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg [Errno 2] No such file or directory: '/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg' /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg [Errno 2] No such file or directory: '/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg' /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg [Errno 2] No such file or directory: '/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg' /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg [Errno 2] No such file or directory: '/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg' /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg [Errno 2] No such file or directory: '/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg' -- no debconf information