Julian Andres Klode, le lun. 27 janv. 2025 11:34:16 +0100, a ecrit: > On Sun, Jan 26, 2025 at 04:44:33PM +0100, Samuel Thibault wrote: > > Are all just plain official Debian archive sources. It's not even > > clear which Signed-by I would be supposed to use. Apparently giving > > signed-by=/usr/share/keyrings/debian-archive-keyring.gpg does avoid > > the warning, but shouldn't that already be some default? As it is now, > > upgrading apt will make all users have to add that on *all* their > > systems to fix the warning, do we really want that? > > Yes, as the notices say upgrade them to deb822 and add the field: > > Types: deb > URIs: http://ftp.fr.debian.org/debian/ http://deb.debian.org/debian/ > Suites: sid experimental > Components: main contrib non-free > Signed-By: /usr/share/keyrings/debian-archive-keyring.asc
Again, do we really want that? Really, I fear an *ample* push-back from essentially all our users. As it is now, it is also really not documented enough, users will need the example described above. > The default keyring for sources not specifying Signed-By is > /etc/apt/trusted.gpg.d which is being phased out in favour > of explicit configuration. > > APT cannot know which keyrings to use for sources magically. It can automagically try to use the debian-archive keyring, it's meant for that... Samuel
