On Thu, Jun 04, 2015 at 06:18:16PM +0200, Wouter Verhelst wrote: > - There is no trust path from your already-installed distribution to the > "archive" package (yes, I did sign the gpg keys; no, I don't consider > that enough).
There are 2 popular methods for this: - Have an "app store". We would allow those 3rd parties to upload and we sign it. You would probably be looking for a part of the archive that doesn't have the same schedule as the releases. - Have a method for 3rd parties to get their key to be trusted to installed software. This could potentionally be done by either shipping all such trusted keys or have them signed by a special purpose key. Kurt -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150607154108.ga29...@roeckx.be
