On Thu, Jul 01, 2021 at 02:27:31PM +0200, Julian Andres Klode wrote:
> > > I disagree, and think this bug is a minor documentation issue,
> > > your issue here is likely outside the computer.
> >
> > I stick to the opinion that apt-secure pointing to apt-key which
> > is deprecated is simply the wrong thing.
>
> Yes, the manpages need some reshuffling. But we're about to enter
> hard freeze, and I don't want to end up breaking the translations
> at this point and do a big reshuffling and rewrite of the docs.
Fair point.
> > I would love to see some kind of example like
> >
> > [signed-by=/etc/apt/trusted.gpg.d/your-key.gpg]
>
> You don't _need_ signed-by if you place files in trusted.gpg.d,
> everything in trusted.gpg.d is trusted by any source lacking
> a signed-by.
OK, I lived under the impression that this is really needed
(by seeking on the web for non-apt-key using docs.) If this is
the case I absolutely agree with you.
> > directly and I think this should become part of Debian 11 release. But
> > I will not play severity ping-pong - just stating my very personal
> > opinion about some direct help in our docs. IMHO this is specifically
> > important since *lots* of links that can be found by your favourite
> > search engine are advertising the use of apt-key.
>
> I don't want to advertise signed-by=. We should aim to get deb822 format
> supported in python-apt next cycle, and then advertise a consistent use
> of deb822 .sources files.
>
> Including, but not limited to, having d-i create
> sources.list.d/<vendor>.sources instead of sources.list.
>
> It just looks bad in the legacy file format.
>
> I'm still concerned having signed-by leads people to adding sources
> they trust less, only to then be rootkitted by evil maintainer scripts
> of packages in that repo.
Thanks a lot for the clarification. I agree now with the minor
issue statement.
Kind regards
Andreas.
--
http://fam-tille.de
