Thanks for following up on this.. Michael Vogt wrote: > I think the same. My proposal is to create a new debain-server-keyring > [1] package that conatins: > /usr/share/keyrings/debian-archive-keyring.gpg > /usr/share/keyrings/debian-archive-removed-keys.gpg > > and calls "apt-key update" in it's postinst. apt-key update will add > new keys from "debian-archive-keyring.gpg" via "apt-key add" and remove > keys in debian-archive-removed-keys.gpg via "apt-key del". > > This way installing/updating the package will ensure that new keys are > added as required and obsolete keys can be removed. Because the keys > are part of a package and the package is covered with the trust-chain > there is no trust-chain violation. > > If people are happy with my proposal I'll prepare and upload such a > package.
Yes, that sounds right to me. The installer also needs a copy of the keyring. Currently we copy this from the keyring shipped in apt at package build time, but it would be much nicer if there were a udeb that only contained the keyring. Once you create this package I can send a patch to also make it produce an appropriate udeb. -- see shy jo
signature.asc
Description: Digital signature
