Hi all,
Jonathan McDowell dijo [Mon, Apr 07, 2025 at 01:59:13PM +0100]:
So your argument is that this is a key others will want easy access to
for validation of signatures produced by tag2upload?
Yes.
I still think it's
closer to something like an archive key (managed by a team, doesn't need
the web of trust or replacement pieces that keyring-maint get involved
with), but equally we already have other role keys present.
The key definitely wants to be published officially by Debian.
I think debian-keyring.deb is the way we do that for GPG keys that we
esxpect humans and computers to use.
debian-keyring.deb is a terrible thing I wish didn't exist.
The keyrings the Debian infrastructure cares about are distributed via
rsync, with validation of the checksums being signed by a member of the
keyring-maint team. The in-archive package file is purely convenience for
folk who want to get hold of it, with no guarantee it's up to date (and,
in fact, a guarantee it's not up to date in stable once we release,
because we don't do volatile updates for it).
I agree with Jonathan here. At some point we in fact discussed whether we
could stop distributing the keyring as a package (but decided against it);
Jonathan usually updates it, but AFAICT neither John or I do (each of us
does the "keyring dance" in a slightly different way).
FWIW, in my earlier replies I also supposed the request was to add the key
to the role-keys keyring; you do mention several oddities of the t2u key,
but we can see similar oddities in all of the keys in that keyring. And
yes, we don't want to ever find CD images signed by the Debian Account
Managers or security uploads signed by the Community Team. Special-purpose
keys... must somehow be special-cased.
I do think including the t2u key could be in place in the role-keys
keyring. Not so much because of the generated package (again, I see very
little value in it), but because it enables Debian infrastructure to check
it via rsync.
But ultimately, I am not familiar with the processing that will be done
once the other involved teams do the necessary footing to get t2u
working. Again, my stance is not to stand in your way, but to resolve
things as they are made available.
– Gunnar.
