On Tue, Aug 21, 2018 at 2:39 PM, Paul Wise <p...@debian.org> wrote: > On Tue, Aug 21, 2018 at 1:21 PM, Kentaro Hayashi wrote: > >> I want to make 3rd party keyring package (ITP). In the advance, I >> want to know a best practice about *keyring* packaging. Any hints? > > There are some best practices for using 3rd party apt repos here: > > https://wiki.debian.org/DebianRepository/UseThirdParty > >> sudo apt install -y -V --allow-unauthenticated foobar-keyring >> This is reasonable because there is no correct key yet before >> installing it. > > I don't think this is appropriate at all. Instead, always use an > out-of-band mechanism for confirming the appropriate OpenPGP keys. > Having the keyring package in Debian itself is a good idea, but at > very bare minimum, download the key or fingerprint from a website that > uses a valid TLS certificate according to the X.509 CA trust model. > >> So, I plan to make one more 3rd party keryring into Debian. > > That seems like a reasonable way to provide a secure mechanism to install it.
I think keyring package is restricted, and won't easily get passed NEW queue. If 3rd party keyring is feasible, I wonder why we don't have the deb multimedia [1] keyring [2] in archive. And emdebian's keyring [3] didn't hit archive, either. [1] https://www.deb-multimedia.org [2] https://www.deb-multimedia.org/dists/sid/main/binary-amd64/package/deb-multimedia-keyring [3] http://www.emdebian.org Cheers, -- Roger Shimizu, GMT +9 Tokyo PGP/GPG: 4096R/6C6ACD6417B3ACB1