Bug#861695: debian-archive-keyring: Please ship release-specific keys separately outside of /etc/apt/trusted.gpg.d/

2018-05-26 Thread Niels Thykier 
On Wed, 27 Sep 2017 11:45:59 -0400 Daniel Kahn Gillmor
 wrote:
> On Fri 2017-05-26 11:42:06 -0400, Daniel Kahn Gillmor wrote:
> > On Thu 2017-05-25 19:35:42 +0100, Adam D. Barratt wrote:
> >> After a little discussion during last night's team meeting, I'm afraid
> >> that the consensus appears to be that at this stage of the freeze we
> >> shouldn't be making changes that aren't directly related to updating the
> >> set of trusted keys.
> >
> > well, i hope we can work something out for buster.
> 
> Just a ping on this: can we start with having debian-archive-keyring
> ship a copy of the keys as individual keys in /usr/share/keyrings/ ?
> 
> even if it leaves the keys in /etc/apt/trusted.gpg.d for now, that'd
> make it possible for a local administrator to run a tightly-administered
> system with normal updates to debian-archive-keyring while we figure out
> the next steps toward making this even easier.
> 
> My longer-term target would be for a new install of buster to have an
> empty /etc/apt/trusted.gpg* , but i figure it'll be easier to get there
> one step at a time :)
> 
>--dkg

Hi Daniel,

This has been in experimental for a while; have you had a change to test
that if works as intended?

Thanks,
~Niels

Bug#861695: debian-archive-keyring: Please ship release-specific keys separately outside of /etc/apt/trusted.gpg.d/

2017-09-27 Thread Daniel Kahn Gillmor 
On Fri 2017-05-26 11:42:06 -0400, Daniel Kahn Gillmor wrote:
> On Thu 2017-05-25 19:35:42 +0100, Adam D. Barratt wrote:
>> After a little discussion during last night's team meeting, I'm afraid
>> that the consensus appears to be that at this stage of the freeze we
>> shouldn't be making changes that aren't directly related to updating the
>> set of trusted keys.
>
> well, i hope we can work something out for buster.

Just a ping on this: can we start with having debian-archive-keyring
ship a copy of the keys as individual keys in /usr/share/keyrings/ ?

even if it leaves the keys in /etc/apt/trusted.gpg.d for now, that'd
make it possible for a local administrator to run a tightly-administered
system with normal updates to debian-archive-keyring while we figure out
the next steps toward making this even easier.

My longer-term target would be for a new install of buster to have an
empty /etc/apt/trusted.gpg* , but i figure it'll be easier to get there
one step at a time :)

   --dkg


signature.asc
Description: PGP signature

Bug#861695: debian-archive-keyring: Please ship release-specific keys separately outside of /etc/apt/trusted.gpg.d/

2017-05-26 Thread Daniel Kahn Gillmor 
On Thu 2017-05-25 19:35:42 +0100, Adam D. Barratt wrote:
> On Tue, 2017-05-02 at 18:06 -0400, Daniel Kahn Gillmor wrote:
>> On Tue 2017-05-02 21:48:35 +0100, Adam D. Barratt wrote:
>> > It's quite late in the day to be making larger-scale changes to the
>> > package.
>> 
>> agreed, in terms of stretch.
>> 
>> > To clarify, are you suggesting shipping the separated files
>> > in /u/s/keyrings /as well as/ /etc/apt/trusted.gpg.d, or /instead of/
>> > the existing location?
>> 
>> for stretch, i think it'd need to be *as well as*, just because i don't
>> want to break existing usage.
>
> Apologies for taking a little while to get back to you again.
>
> After a little discussion during last night's team meeting, I'm afraid
> that the consensus appears to be that at this stage of the freeze we
> shouldn't be making changes that aren't directly related to updating the
> set of trusted keys.

well, i hope we can work something out for buster.

It's a bummer, because that means that instructions for making a
locked-down system for stretch and instructions for doing the same for
buster will vary more than they'd otherwise need to.

Please let me know how you think we should proceed post-stretch!

Ah well,

   --dkg

Bug#861695: debian-archive-keyring: Please ship release-specific keys separately outside of /etc/apt/trusted.gpg.d/

2017-05-25 Thread Adam D. Barratt 
On Tue, 2017-05-02 at 18:06 -0400, Daniel Kahn Gillmor wrote:
> On Tue 2017-05-02 21:48:35 +0100, Adam D. Barratt wrote:
> > It's quite late in the day to be making larger-scale changes to the
> > package.
> 
> agreed, in terms of stretch.
> 
> > To clarify, are you suggesting shipping the separated files
> > in /u/s/keyrings /as well as/ /etc/apt/trusted.gpg.d, or /instead of/
> > the existing location?
> 
> for stretch, i think it'd need to be *as well as*, just because i don't
> want to break existing usage.

Apologies for taking a little while to get back to you again.

After a little discussion during last night's team meeting, I'm afraid
that the consensus appears to be that at this stage of the freeze we
shouldn't be making changes that aren't directly related to updating the
set of trusted keys.

Regards,

Adam

Bug#861695: debian-archive-keyring: Please ship release-specific keys separately outside of /etc/apt/trusted.gpg.d/

2017-05-03 Thread Daniel Kahn Gillmor 
On Tue 2017-05-02 21:48:35 +0100, Adam D. Barratt wrote:
> It's quite late in the day to be making larger-scale changes to the
> package.

agreed, in terms of stretch.

> To clarify, are you suggesting shipping the separated files
> in /u/s/keyrings /as well as/ /etc/apt/trusted.gpg.d, or /instead of/
> the existing location?

for stretch, i think it'd need to be *as well as*, just because i don't
want to break existing usage.

for future versions of debian, we should think about how to deploy a
debian system installation where all sources.list entries have a
[signed-by=] option, where nothing is installed in
/etc/apt/trusted.gpg.d/ at all.

And transitioning a pre-existing debian machine to a
scoped-authentication apt configuration would be an even harder task,
certainly not something for stretch.

  --dkg

Bug#861695: debian-archive-keyring: Please ship release-specific keys separately outside of /etc/apt/trusted.gpg.d/

2017-05-02 Thread Adam D. Barratt 
On Tue, 2017-05-02 at 16:18 -0400, Daniel Kahn Gillmor wrote:
> With the upcoming release of stretch, we now have the ability to run a
> functional debian system with nothing in /etc/apt/trusted.gpg.d or
> /etc/apt/trusted.gpg at all, thanks to the "signed-by" option
> documented in sources.list(5).
> 
> I'd prefer to document the signing key for each repository explicitly
> in my sources.list file, rather than have globally-authorized signing
> keys in /etc/apt/trusted.gpg*.  This lets me more narrowly tailor
> which keys are authorized to provide which archives.
[...]
> However, debian-archive-keyring ships the keys broken out into
> separate locations only in /etc/apt/trusted.gpg.d/*.gpg, and in
> /usr/share/keyrings it only includes the bulk collection.
> 
> It would be great if debian-archive-keyring made it possible to avoid
> placing anything in /etc/apt/trusted.gpg.d while maintaining the
> disaggregated files in /usr/share/keyrings/

It's quite late in the day to be making larger-scale changes to the
package.

To clarify, are you suggesting shipping the separated files
in /u/s/keyrings /as well as/ /etc/apt/trusted.gpg.d, or /instead of/
the existing location?

Regards,

Adam

Bug#861695: debian-archive-keyring: Please ship release-specific keys separately outside of /etc/apt/trusted.gpg.d/

2017-05-02 Thread Daniel Kahn Gillmor 
Package: debian-archive-keyring
Version: 2014.3
Severity: normal

Hi there!

With the upcoming release of stretch, we now have the ability to run a
functional debian system with nothing in /etc/apt/trusted.gpg.d or
/etc/apt/trusted.gpg at all, thanks to the "signed-by" option
documented in sources.list(5).

I'd prefer to document the signing key for each repository explicitly
in my sources.list file, rather than have globally-authorized signing
keys in /etc/apt/trusted.gpg*.  This lets me more narrowly tailor
which keys are authorized to provide which archives.

For example:

deb [signed-by=/usr/share/keyrings/debian-archive-stretch-stable.gpg] 
http://ftp.debian.org/debian stretch main non-free contrib

However, debian-archive-keyring ships the keys broken out into
separate locations only in /etc/apt/trusted.gpg.d/*.gpg, and in
/usr/share/keyrings it only includes the bulk collection.

It would be great if debian-archive-keyring made it possible to avoid
placing anything in /etc/apt/trusted.gpg.d while maintaining the
disaggregated files in /usr/share/keyrings/

  --dkg

-- System Information:
Debian Release: 9.0
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages debian-archive-keyring depends on:
ii  gpgv  2.1.18-7

Versions of packages debian-archive-keyring recommends:
ii  gnupg  2.1.18-7

debian-archive-keyring suggests no packages.

-- Configuration Files:
/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg [Errno 2] No such 
file or directory: '/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg'
/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg [Errno 2] 
No such file or directory: 
'/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg'
/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg [Errno 2] No such file 
or directory: '/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg'
/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg [Errno 2] No such 
file or directory: '/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg'
/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg [Errno 2] No such file 
or directory: '/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg'
/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg [Errno 2] No such 
file or directory: '/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg'
/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg [Errno 2] No such file 
or directory: '/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg'

-- no debconf information