Hi Ondřej,
That's a fair point; I am indeed trusting you anyway by installing your
packages :-)
I mainly noticed this because I am temporarily building my own patched
version of your package with a workaround for the SIG(0) key limit problem I
reported some months back [1], and realised that if I used your sources, I'd
have to ship debsuryorg-archive-keyring in my own PPA too.
Thanks,
Malcolm
[1] https://gitlab.isc.org/isc-projects/bind9/-/issues/5050
On Thu, 13 Feb 2025, Ondřej Surý wrote:
Hi Malcolm,
if you trust me to produce BIND 9 code directly from the upstream,
I guess that trust can be transitioned to the packaging repositories.
The packaging is created in a way that makes it easy to create
packages for both Ubuntu and Debian in the same way.
I'll add some text to the KB, thanks for raising the issue here.
Ondřej
P.S.: However, you are right that for Ubuntu PPAs there could be just
a dummy package with no keys and that would make it little less
confusing. The package is setup like this intentionally for now
and it will get gradually upgraded to the signed-by method as the
distributions supporting that will get deprecated. As of now, the
change you mentioned will be included in Debian Trixie that hasn't
been released yet, and there's too many installations that still use
the old method
--
Ondřej Surý (He/Him)
ond...@isc.org
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
On 13. 2. 2025, at 16:57, Malcolm Scott via bind-users
wrote:
Hi all,
With apologies if this is a FAQ: why do the ISC BIND packages for Ubuntu,
linked from https://kb.isc.org/docs/isc-packages-for-bind-9 and published at
https://launchpad.net/~isc/+archive/ubuntu/bind, depend on
debsuryorg-archive-keyring? That package makes Apt trust a key for an entirely
different Apt repository, not used (as far as I can tell) by the Launchpad PPA
at all. (Also it installs the key into /etc/apt/trusted.gpg.d, which is
considered insecure and deprecated [1].)
$ apt-key list
(...)
/etc/apt/trusted.gpg.d/debsuryorg-archive.gpg
-
pub rsa3072 2019-03-18 [SC] [expires: 2026-02-04]
1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743
uid [ unknown] DEB.SURY.ORG Automatic Signing Key
sub rsa3072 2019-03-18 [E] [expires: 2026-02-04]
(...)
(Or should I treat deb.sury.org, rather than the Launchpad PPA, as the official
repository for these packages?)
Malcolm
[1] https://salsa.debian.org/apt-team/apt/-/raw/2.9.24/debian/NEWS
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
