Making debootstrap fail by default on missing keyring is not going to somehow make all the people who are using it insecurely learn about the WoT and get a verified keyring.
The actual effect is it'll make a lot of documentation and probably quite a lot of scripts obsolete/broken for a while, until everyone learns to run deboostrap with --no-check-gpg to work around the change. Which would be only a little annoying, but if everyone gets in the habit of using debootstrap --no-check-gpg, they'll also use it when debootstrapping Debian on Debian. We risk regressing to less security by trying to shove complicated security down users' throats. I actually think it would be more of a win to change the default mirror url from the current http://ftp.us.debian.org/ to a https url. This provides weak (CA) verification on systems without the Debian keyring, which is considerably better than nothing. A good candiate for such a mirror is https://mirrors.kernel.org/debian, although it's not currently in the {ftp,http}.us.debian.org rotation for some reason, and lacks IPv6. (None of the {ftp,http}.us.debian.org mirrors currently support https.) Due to those limitations, and to avoid overloading it, I've modified debootstrap to default to the https mirror only when the gpg keyring is not available. -- see shy jo
signature.asc
Description: Digital signature