2010/6/23 Goswin von Brederlow <goswin-...@web.de>: > That would complicate things when using > > deb [keyring=debian-lenny.gpg] http://ftp.debian.org/debian stable main > > The idea of specifying a specific keyring is so that one compromised key > will not endanger all sources.list entries to attacks.
In theory you could support a list of keyrings in your trusted proposals (which is fine for me btw) or as far as i know the recommend line currently is to use the codename of the release instead of 'stable' so (maybe automatic) actions like "apt-get upgrade" can not end in a "lenn-eze"… > Since I'm quite opposed to non human readable conffiles: Why is the > keyring a conffile? Why not have the packages keyring in > /usr/lib/apt/trusted.gpg.d/ and user keyrings in > /etc/apt/trusted.gpg.d/ or /usr/local/apt/trusted.gpg.d/? But I don't > know how one would go about removing a key then. The problem with /usr/lib/apt is that a file you delete or change will appear unchanged again with the next upgrade of the package. Something which seems to be disliked (in this bugreport). ;) Binary file isn't my favorite either, but beside that gpgv doesn't support ascii-amored files it wouldn't change much anyway: I (and many others too) can't read ascii-armored keys… And if it really boils down to a "file exists or not" it is the same. /etc also as it is a user decision which keyrings he might want to trust (or not) and that doesn't always boils down to a complete keyring package. Best regards, David Kalnischkies -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
