Hey, Wouter. On 06/04/2015 12:18 PM, Wouter Verhelst wrote: > Hi, > > At $DAYJOB, I'm maintaining a few repositories with ready-to-install > packages for a number of distributions[1] > > Currently, the instructions[2] say to do the following: > - Download and install an "eid-archive" package, which contains the GPG > keys and generates a sources.list.d file for the repository; > - Run "apt-get update"; > - Install the "eid-mw" and/or "eid-viewer" packages. > > This works, but it has a number of downsides: > - The second step, "run apt-get update", is often overlooked; this seems > to be the case especially for users of Ubuntu, where the default > handler for installing packages is the "Software Center", a GUI > software management tool that doesn't have any UI element for doing > (the equivalent of) apt-get update
Huh... this is unfortunate. I can imagine a package that installs some kind of one-time cronjob that will execute 'apt-get update' a minute later, but I don't like the idea... I hope there's something better available. > - There is no trust path from your already-installed distribution to the > "archive" package (yes, I did sign the gpg keys; no, I don't consider > that enough). Yeah unfortunately this is sort of a catch-22 problem... IMHO we want an external archive key to be easily replaceable in case it's ever compromised, yet we also want that same key to be "easily trust-able", which takes time and several signatures of known keys to do... i.e. an investment. I recall the prior DPL wanting to support PPAs in Debian, and I would imagine that this issue is one of the "sticking points" to that idea. BTW does the 'debian-keyring' package exist on Ubuntu and Mint? If so I could imagine that your eid-archive package could have a pre-depends on debian-keyring and check that GPG keys installed by eid-archive are signed by a DD or DM. As the debian-keyring package would come from the main archive, that would at least have a trust path to the signing key of the main distribution repository. That's what I can think of at the moment anyway. -- Chris -- Chris Knadle chris.kna...@coredump.us -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5573bf41.8040...@coredump.us