Bug#480478: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Hi, while I'm actually in favor of adding this package because it makes it a lot easier to obtain a trustpath to the backports.org repo, which is important to our users, it's not true that there isnt a documented trusted path to install the key. It's documented here: http://wiki.debian.org/DebianEdu/Documentation/Etch/HowTo/Administration#head-136bb7e75e07e8b6463e6b30761ac51776c5c27d # add backports.org repo to /etc/apt/sources.list echo deb http://www.backports.org/debian etch-backports main contrib non-free /etc/apt/sources.list # install the debian-keyring securily: aptitude install debian-keyring # fetch the backports.org key insecurily: gpg --keyserver pgpkeys.pca.dfn.de --recv-keys 16BA136C # check securily if the key is correct and add it to root's keyring if it is: gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs 16BA136C gpg --export 16BA136C | apt-key add - # update the list of available packages: aptitude update But it's really quite complicated and a lot to type :) So I would definitly prefer a package, optionally with a low-priority debconf question (for preseeding mostly) to also edit to sources.list :-) regards, Holger pgptkkrwhEKxd.pgp Description: PGP signature
Bug#480478: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
On Saturday 28 June 2008 02:48, Holger Levsen wrote: It's documented here: http://wiki.debian.org/DebianEdu/Documentation/Etch/HowTo/Administration#head-136bb7e75e07e8b6463e6b30761ac51776c5c27d now also with the correct order of commands :-) regards, Holger (see, it ain't easy :-D pgpsQSpEhNSCA.pgp Description: PGP signature
Bug#480478: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
On Mon, Jun 23, 2008 at 11:39:36AM +1000, Brian May wrote: Luk Claes wrote: apt-get install debian-backports-keyring or gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C gpg --export | apt-key add - This involves 3 separate commands, and modifies files under /root/.gnupg/ at the same time. Seems overly complicated, especially for non-technical people. Would it be possible to simplify this? The problem is not simplifiing the process, but finding one that is not flawed and actually provides security. This ITP is not about making it simpler. -- Robert Millan GPLv2 I know my rights; I want my phone call! DRM What good is a phone call… if you are unable to speak? (as seen on /.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480478: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
On Sun, Jun 22, 2008 at 01:08:30PM -0500, Adam Majer wrote: Certainly, the backports.org keyring is useful to some people, *but* it is, 1. not free software I don't think there's a legal basis to claim copyright on a blob of random bytes generated by a program. Who's the copyright holder? gpg? The authors of gpg? The person who typed gpg in command-line? The entropy source? -- Robert Millan GPLv2 I know my rights; I want my phone call! DRM What good is a phone call… if you are unable to speak? (as seen on /.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480478: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Hi, On Sat, Jun 21, 2008 at 01:38:07PM -0400, Roberto C. Sánchez wrote: But backports.org is still unofficial. so what? Its unofficial, but still its of great use for the most Debian users. If it were permitted, then what would happen when other unofficial repository maintainers want to package their repository keyrings? Will those be allowed or disallowed? In my humble opinion they should be allowed to be packaged as if they are normal packages. Don't get me wrong, but Debian is a distribution, so what we basically do is pack up things that are worth distributing and distribute them. This way Debian users can benefit from our work and ofcourse upstreams work. It would be the same for other keyrings. Its for the benefit of a larger audience of Debian users. Ofcourse this is not true for every keyring out there. So my approach isn't to let every keyring into the archive, but decide on case to case. Similar to whats beeing done with usual packages. Its already common for usual packages that they shouldn't be added if they don't provide benefit to *some* Debian users, like tools for a common goal which is already solved well and good by a lot of other tools in the archive. Best Regards, Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480478: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Patrick Schoenfeld wrote: In my humble opinion they should be allowed to be packaged as if they are normal packages. Don't get me wrong, but Debian is a distribution, so what we basically do is pack up things that are worth distributing and distribute them. This way Debian users can benefit from our work and AFAIK, we do not distribute things, we distribute *software*. Some packages are just composed of data though, but other packages depend on it. Some is just data that is very useful in the *Debian* project. This includes the keyring. Certainly, the backports.org keyring is useful to some people, *but* it is, 1. not free software 2. free software does not depend on it 3. not part of Debian's important data stuff If backports.org keyring get distributed, then I would argue it allows others, non-software data to be packaged as well. For example, some free anime movies, or the Gutenberg project packages. Debian is for *free software* (and some non-free) and stuff that related to Debian. It is not for backports.org, or Ubuntu, or some other stuff. - Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480478: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Adam Majer [EMAIL PROTECTED] writes: If backports.org keyring get distributed, then I would argue it allows others, non-software data to be packaged as well. For example, some free anime movies, or the Gutenberg project packages. Debian is for *free software* (and some non-free) and stuff that related to Debian. It is not for backports.org, or Ubuntu, or some other stuff. - Adam I would argue that backports.org, while not official, is verry much related to Debian and having a secure path to the keyring is to great benefit to debian users. Such a keyring is also verry small. Three things you can't say about free anime movies or the Gutenberg project packages. MfG Goswin PS: I would prefer if apt-get could fetch and verify keyring updates directly from a repository though. Keyring packages are awfull for key rollovers. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480478: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Robert Millan wrote: On Sat, Jun 21, 2008 at 03:52:12PM +0200, Alexander Wirt wrote: I'm still not that sure if its a good idea to add a non-offical debian repo keyring into the archive... But I let the decision to the ftp-masters.. Well, currently a problem is the only way to get a trusted path to the bpo repository is by fetching debian-backports-keyring from it, checking your signature in its .dsc, etc. So this is what I'm trying to solve. Hmm, are there not 2 other ways documented on backports.org as you can see below? Cheers Luk -- If you are using etch and you want apt to verify the downloaded backports you can import backports.org archive’s key into apt: apt-get install debian-backports-keyring or gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C gpg --export | apt-key add - or wget -O - http://backports.org/debian/archive.key | apt-key add - -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480478: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
On Sun, Jun 22, 2008 at 10:34:15PM +0200, Luk Claes wrote: Robert Millan wrote: On Sat, Jun 21, 2008 at 03:52:12PM +0200, Alexander Wirt wrote: I'm still not that sure if its a good idea to add a non-offical debian repo keyring into the archive... But I let the decision to the ftp-masters.. Well, currently a problem is the only way to get a trusted path to the bpo repository is by fetching debian-backports-keyring from it, checking your signature in its .dsc, etc. So this is what I'm trying to solve. Hmm, are there not 2 other ways documented on backports.org as you can see below? -- If you are using etch and you want apt to verify the downloaded backports you can import backports.org archive’s key into apt: apt-get install debian-backports-keyring or gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C gpg --export | apt-key add - or wget -O - http://backports.org/debian/archive.key | apt-key add - -- These examples just add the key to apt's keyring, but they don't provide any trusted path to it. One has to blindly believe that the key being downloaded by apt-get, gpg [1] or wget belongs to its owner. [1] In the gpg example, you could happen to have a trusted key in your database that provides a trusted path to bpo's key, but for the average user this is IMHO not an acceptable solution. -- Robert Millan GPLv2 I know my rights; I want my phone call! DRM What good is a phone call… if you are unable to speak? (as seen on /.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480478: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Adam Majer wrote: Certainly, the backports.org keyring is useful to some people, *but* it is, 1. not free software Presumably the following packages would never have made it into Debian if a public key didn't comply with the DFSG. debian-archive-keyring - GnuPG archive keys of the Debian archive debian-edu-archive-keyring - GnuPG archive keys of the Debian Edu archive debian-keyring - GnuPG (and obsolete PGP) keys of Debian Developers debian-maintainers - GPG keys of Debian maintainers emdebian-archive-keyring - GnuPG archive keys for the emdebian repository Having said that, having one entire package for one key file seems like overkill to me; is there not any other way of securely distributing the key? Brian May -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480478: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Luk Claes wrote: apt-get install debian-backports-keyring or gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C gpg --export | apt-key add - This involves 3 separate commands, and modifies files under /root/.gnupg/ at the same time. Seems overly complicated, especially for non-technical people. Would it be possible to simplify this? or wget -O - http://backports.org/debian/archive.key | apt-key add - Brian May -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480478: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
reopen 480478 retitle 480478 ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository reassign 480478 wnpp thanks * Package name: debian-backports-keyring * URL : http://backports.org/debian/pool/main/d/debian-backports-keyring/ * License : GPLv2+ Description : GnuPG archive key of the backports.org repository Alexander, please let me know if you have any objection to this key being added to the archive, or if you would like to be the maintainer for this package or just the upstream (either way is fine with me). -- Robert Millan GPLv2 I know my rights; I want my phone call! DRM What good is a phone call… if you are unable to speak? (as seen on /.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480478: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Robert Millan schrieb am Saturday, den 21. June 2008: reopen 480478 retitle 480478 ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository reassign 480478 wnpp thanks * Package name: debian-backports-keyring * URL : http://backports.org/debian/pool/main/d/debian-backports-keyring/ * License : GPLv2+ Description : GnuPG archive key of the backports.org repository Alexander, please let me know if you have any objection to this key being added to the archive, or if you would like to be the maintainer for this package or just the upstream (either way is fine with me). I'm still not that sure if its a good idea to add a non-offical debian repo keyring into the archive... But I let the decision to the ftp-masters.. Alex -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480478: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Hi, On Saturday 21 June 2008 15:52, Alexander Wirt wrote: I'm still not that sure if its a good idea to add a non-offical debian repo keyring into the archive... Nobody is forced to install it?! And AFAICS we regulary recommend backports.org to users, who need newer software. So I think it should be in. regards, Holger pgpyDvLsaISRi.pgp Description: PGP signature
Bug#480478: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
On Sat, Jun 21, 2008 at 07:34:59PM +0200, Holger Levsen wrote: Hi, On Saturday 21 June 2008 15:52, Alexander Wirt wrote: I'm still not that sure if its a good idea to add a non-offical debian repo keyring into the archive... Nobody is forced to install it?! And AFAICS we regulary recommend backports.org to users, who need newer software. So I think it should be in. But backports.org is still unofficial. If it were permitted, then what would happen when other unofficial repository maintainers want to package their repository keyrings? Will those be allowed or disallowed? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Bug#480478: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
On Sat, Jun 21, 2008 at 07:34:59PM +0200, Holger Levsen wrote: Hi, On Saturday 21 June 2008 15:52, Alexander Wirt wrote: I'm still not that sure if its a good idea to add a non-offical debian repo keyring into the archive... Nobody is forced to install it?! And AFAICS we regulary recommend backports.org to users, who need newer software. So I think it should be in. But backports.org is still unofficial. If it were permitted, then what would happen when other unofficial repository maintainers want to package their repository keyrings? Will those be allowed or disallowed? What's wrong with packaging a keyring? Does a keyring package differ in any way from a normal (whatever that is...) package? It installs some files and in some sense modifies your system. It does not download any software itself, so what? Best, Michael pgpF1AbyfviZJ.pgp Description: PGP signature
Bug#480478: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
On Saturday 21 June 2008 11:38:07 Roberto C. Sánchez wrote: On Sat, Jun 21, 2008 at 07:34:59PM +0200, Holger Levsen wrote: Hi, On Saturday 21 June 2008 15:52, Alexander Wirt wrote: I'm still not that sure if its a good idea to add a non-offical debian repo keyring into the archive... Nobody is forced to install it?! And AFAICS we regulary recommend backports.org to users, who need newer software. So I think it should be in. But backports.org is still unofficial. If it were permitted, then what would happen when other unofficial repository maintainers want to package their repository keyrings? Will those be allowed or disallowed? Maybe a common, group maintained, debian-unofficial-keyring package? -- Wesley J. Landaker [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED] OpenPGP FP: 4135 2A3B 4726 ACC5 9094 0097 F0A9 8A4C 4CD6 E3D2 signature.asc Description: This is a digitally signed message part.
Bug#480478: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
On Sat, Jun 21, 2008 at 03:52:12PM +0200, Alexander Wirt wrote: I'm still not that sure if its a good idea to add a non-offical debian repo keyring into the archive... But I let the decision to the ftp-masters.. Well, currently a problem is the only way to get a trusted path to the bpo repository is by fetching debian-backports-keyring from it, checking your signature in its .dsc, etc. So this is what I'm trying to solve. As for being non-official, I can try to make it clear in the package description that this key isn't officially endorsed by Debian, etc; does this sound fine to you? -- Robert Millan GPLv2 I know my rights; I want my phone call! DRM What good is a phone call… if you are unable to speak? (as seen on /.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]