Hallo, * Sam Hartman [Sun, Jul 14 2019, 02:07:55PM]: > >>>>> "Eduard" == Eduard Bloch <e...@gmx.de> writes: > > Eduard> Hallo, * Sam Hartman [Sun, Jul 14 2019, 08:46:18AM]: > >> >>>>> "Julian" == Julian Andres Klode <j...@debian.org> writes: > >> > >> Please carefully consider uses of apt besides the system level > >> apt running as root installing packages on the system. > >> > >> What about when I use the apt libraries to explore some > >> repository and parse its packages files etc. Asking people to go > >> set up the keys for some of these use cases seems like a lot of > >> work. > > Eduard> IMHO this could and should be mitigated. I.e. give people a > Eduard> tool they can work with without studying rocket science, > Eduard> following the spirit of letsencrypt etc., which handles the > Eduard> snakeoil key handling in a lazy way. > > Most of the repository generation tools these days do a fairly good job > of signing the release file.
I am looking at this from the POV of a regular/lazy user. The next best tool here is apt-ftparchive. Does it help you with signing? No. Does its manpage even mention InRelease signing in any way? Not really. Therefore, the critical voices in this thread are right - too early to enforce strict signing. > What I'm more worried about is configuring the client apt library in > cases where you are using it for things other than the main apt instance > on the system. Understood, but what's the plan? Shouldn't this be another part of the apt-secure manpage? Showing the user configuration examples for the few main usecases? Best regards, Eduard.