Hi, 2018年8月21日(火) 14:39 Paul Wise <p...@debian.org>: > > On Tue, Aug 21, 2018 at 1:21 PM, Kentaro Hayashi wrote: > > > I want to make 3rd party keyring package (ITP). In the advance, I > > want to know a best practice about *keyring* packaging. Any hints? > > There are some best practices for using 3rd party apt repos here: > > https://wiki.debian.org/DebianRepository/UseThirdParty
Thanks! I've not checked it, so it is very helpful. It seems that what I want exactly. > > sudo apt install -y -V --allow-unauthenticated foobar-keyring > > This is reasonable because there is no correct key yet before > > installing it. > > I don't think this is appropriate at all. Instead, always use an > out-of-band mechanism for confirming the appropriate OpenPGP keys. > Having the keyring package in Debian itself is a good idea, but at > very bare minimum, download the key or fingerprint from a website that > uses a valid TLS certificate according to the X.509 CA trust model. I know that it is not appropriate way, but I didn't know that wiki page [1] at that time. [1] https://wiki.debian.org/DebianRepository/UseThirdParty > > So, I plan to make one more 3rd party keryring into Debian.> > That seems like a reasonable way to provide a secure mechanism to install it. Now I understand that it is good enough to follow the instruction on wiki content about 3rd party repository. [1] No need to do 3rd party keyring ITP in this case. Thanks for all kindly advice! -- Kentaro Hayashi <ken...@gmail.com>
