Hi, Dererk <der...@debian.org> writes:
> For what I see, I think this represents more like a serious security > breach for the Debian Project adopting a third-party keyring, than to > perform this very special task by hand in the very limited scenarios > this could be necessary. How is this different from including debian-edu-archive-keyring, debian-ports-archive-keyring and emdebian-archive-keyring? As far as I know none of those archives are maintained on the official Debian infrastructure. As this is just distributing a public key (I don't think there is a need to run apt-key automatically for the Ubuntu keyrings), it is not even that different from all the public SSL keys that we ship. It only makes it easier for users to establish a chain of trust to the keyring (when you trust Debian and the maintainer of the package). For this reason the maintainer should of course ideally be someone who can verify the integrity of the key without relying on others. Regards, Ansgar -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8739us4gcc....@marvin.43-1.org
