Package: leap-archive-keyring Version: 2016.03.08 Severity: normal This package installs a keyring in /etc/apt/trusted.gpg.d which is great as it allows people to easily install LEAP applications by leveraging the trust path already in Debian.
It does, however, mean that LEAP could, in theory, sign releases for the official Debian archive, which is probably not what you want. There are some efforts underway to standardize a process for third-party repositories like LEAP, and the current proposal is to store those certificates in /usr/share/keyrings/ instead. See: https://wiki.debian.org/DebianRepository/UseThirdParty#OpenPGP_Key_distribution Then that key can be refered to in the sources.list, which connects the repository with its trust anchor without polluting the global trust space: deb [signed-by=/usr/share/keyrings/deriv-archive-keyring.gpg] https://deriv.example.net/debian/ stable main In the case of LEAP, this would probably be something like: sudo sh -c 'echo "deb [signed-by=/usr/share/keyrings/leap-archive-keyring.gpg] http://deb.leap.se/client release stretch" > /etc/apt/sources.list.d/bitmask.list' I would also recommend setting up a pinned preferences file in the archive as well, to keep the sources.list from upgrading random packages from the main archive. I guess the preferences file could look something like: Package: bitmask* python-sqlcipher python-leap-common soledad* Pin: origin deb.leap.se Pin-Priority: 100 I would be happy to help you make those changes if you accept. A. -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (500, 'stable'), (1, 'experimental'), (1, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) -- no debconf information
