On Wed 2018-01-17 15:09:45 -0800, Dan Kegel wrote: > Yes to all four questions. Here's the user story.
cool, your user story all makes sense to me except this bit: > - The package depends on debian-archive-keyring (to leverage > the web of trust as suggested in 'man secure-apt') (itym 'man apt-secure', right?) if you're expecting ubuntu (or any other non-debian) users to install this, then you're actually increasing their attack surface, because this package will place debian archive keys as "trusted" keys automatically (meaning "any archive that is signed by them is considered legitimate), when they weren't present on the system before. I don't see the part of apt-secure(8) that says anything about needing this, and i don't see how it "leverages the web of trust" -- can you explain this more? Without a clear justification, i think you should remove this dependency. > I also have to support a range of versions of gpg, can't insist > on the latest. Happily, in preparation for supporting Ubuntu 17.10, > I verified that I can drop support for versions of gpg and apt > older than the ones in Ubuntu 16.04. what i'm not hearing is an explicit example of how you are using gpg -- as the archive maintainer, surely you manage the archive itself on a system of your choice. for me, that would be a debian stable system, with reprepro or something like that, which should already know how to call out to gpg. as the developer of the foobar-archive package, you shouldn't need to invoke gpg at all in your package build scripts other than just --import and --export, which should be pretty standard across all versions of gpg. your end users don't actually need full-blown gpg at all -- modern versions of apt depend explicitly (and minimally) on gpgv, since all they do is verify signatures based on a set of acceptable keys. > While my foobar-archive.deb may seem superficially similar to > debian-archive-keyring.deb, the latter does things > in its postinstall step that establish trust at the system > level in a way that doesn't seem like a good example for > third party apt repositories to use as an example. yep, agreed. (which is why i'm surprised to see your dependency on debian-archive-keyring) You may also be interested in https://bugs.debian.org/861695, fwiw. All the best, --dkg
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
