On 7/1/21 8:27 AM, Julian Andres Klode wrote:
I don't want to advertise signed-by=. We should aim to get deb822 format
supported in python-apt next cycle, and then advertise a consistent use
of deb822 .sources files.
Including, but not limited to, having d-i create
sources.list.d/<vendor>.sources instead of sources.list.
It just looks bad in the legacy file format.
I'm still concerned having signed-by leads people to adding sources
they trust less, only to then be rootkitted by evil maintainer scripts
of packages in that repo.
If [signed-by=] isn't the way to go, then what is? I recently updated
the keyring package in our company's APT repository to automatically
migrate people to [signed-by=] since apt-key (and with it
/etc/apt/trusted.gpg.d) is deprecated. This page suggested using
[signed-by=] instead:
https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html
In addition, this Debian Wiki page (linked from the article above)
suggests using [signed-by=] and not /etc/apt/trusted.gpg.d:
https://wiki.debian.org/DebianRepository/UseThirdParty
Kyle
