On Tue, Feb 02, 2021 at 02:02:42PM +0000, Julian Gilbey wrote: > On Tue, Feb 02, 2021 at 10:53:03AM +0100, David Kalnischkies wrote: > > Hi, > > > > On Mon, Feb 01, 2021 at 12:42:01PM +0000, Julian Gilbey wrote: > > > I just stumbled upon an "Ask Ubuntu" discussion, which has a very > > > clear explanation of (at least some of) the reasons for the > > > deprecation of apt-key and what to do instead: > > > https://askubuntu.com/questions/1286545/what-commands-exactly-should-replace-the-deprecated-apt-key/1300076#1300076 > > > > > > Logging it here in the hope that it will be of use to others. > > > > It's Julian (juliank) who runs this deprecation and I have close to zero > > interest in third party repositories, so I do not want to bud in on > > these BUT that linked accepted answer is really not a good answer… > > at least scroll a bit down and read the others if you really must. > > > > [... detailed comments and ideas snipped ...] > > > > Best regards > > > > David Kalnischkies > > Hi David, > > That's really helpful, thanks! > > What seems to come from your answer is that there is no "canonical" > way to do it. But in the absence of guidance, each person setting up > their own repository will do it in their own way. I had no idea of > the potential dangers of the /etc/apt/trusted.gpg.d directory, for > example, though I'm not sure that using signed-by is necessarily > better. > > What would be helpful, and what this whole thread is essentially > about, is a request for the apt maintainers, who really know the > architecture of the apt system and are probably the best-placed to > give this guidance, to provide some "official" guidelines as to best > practice in the apt packages. From your message, it seems as though > there are actually two distinct audiences: repository maintainers and > sysadmins.
Best practice will be to embed the key into a deb822 sources file, but that's for bookworm+ and doesn't help much yet. As of now, there are no best practices. I just drop files into trusted.gpg.d, others drop them into /usr/[local/]share/keyrings and use signed-by. Hence I don't want to commit to anything too concrete yet, either way. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
