On Sun, Jun 07, 2015 at 11:30:01AM -0700, Josh Triplett wrote: > On Sun, Jun 07, 2015 at 11:08:36AM +0200, Wouter Verhelst wrote: > > On Fri, Jun 05, 2015 at 09:10:56AM -0700, Josh Triplett wrote: > > > If that's not an option for some reason, then given that the packages > > > are Free Software and of reasonably broad interest, you could at least > > > upload a package to Debian containing the archive key, similar to > > > pkg-mozilla-archive-keyring; that would establish a trust path. (Which > > > doesn't solve the usability problem, but it does solve the trust > > > problem.) > > > > True, but I don't think it is the best way forward. > > > > First, it would work for me, as long as I'm still contracting for the > > government[1]. However, due to it being a *government* contract, this is > > an inherently time-limited situation[2]. I want this situation to remain > > manageable after the end of my contract. > > > > Second, while I wrote this in response to an immediate issue that I'm > > dealing with, it should obvious that this isn't a problem specific to my > > situation; I would prefer to have a situation which works for everyone, > > not just for me. Having to maintain a package inside Debian isn't the > > best solution for third-party developers. > > If you don't mind the solution being specific to Debian developers, > though not to you in particular, then the future plans for Debian PPAs > or similar should help here. In particular, those should inherently > have a trust chain from the archive.
Sure. They don't exist yet, however. > And anything *not* specific to Debian developers shouldn't be automatic; > if there's a means of signing something such that it is "trusted", that > mechanism *must* be limited to DDs. Actually, we *already* have cases where stuff can be installed on a Debian system without apt saying anything about it (and without requiring manual steps) that involves someone preparing an upload who is not a DD. It's called a DM. Do we trust DMs to the same level that we trust DDs? No. Is that fine? Sure. In the same vein, should we trust third-party repositories to the same level that we trust DDs, or even DMs? Probably not. But then that's not what I'm suggesting. Having said that, I do agree with you that we should not allow just about anyone to create a repository which will be automatically trusted by the whole Debian system. Establishing such a trust chain should, indeed, require some vetting by at least one Debian Developer, so that malicious packages can be rejected, if needs be. Perhaps this should even be done on a repeating basis; i.e., it could be done so that getting a signature on an archive configuration can only be allowed if it is time-limited (so that after a certain amount of time, the vetting and signing needs to be re-done). -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150607215523.gg7...@grep.be
