Hi Malcolm, if you trust me to produce BIND 9 code directly from the upstream, I guess that trust can be transitioned to the packaging repositories.
The packaging is created in a way that makes it easy to create packages for both Ubuntu and Debian in the same way. I'll add some text to the KB, thanks for raising the issue here. Ondřej P.S.: However, you are right that for Ubuntu PPAs there could be just a dummy package with no keys and that would make it little less confusing. The package is setup like this intentionally for now and it will get gradually upgraded to the signed-by method as the distributions supporting that will get deprecated. As of now, the change you mentioned will be included in Debian Trixie that hasn't been released yet, and there's too many installations that still use the old method -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 13. 2. 2025, at 16:57, Malcolm Scott via bind-users > <bind-users@lists.isc.org> wrote: > > Hi all, > > With apologies if this is a FAQ: why do the ISC BIND packages for Ubuntu, > linked from https://kb.isc.org/docs/isc-packages-for-bind-9 and published at > https://launchpad.net/~isc/+archive/ubuntu/bind, depend on > debsuryorg-archive-keyring? That package makes Apt trust a key for an > entirely different Apt repository, not used (as far as I can tell) by the > Launchpad PPA at all. (Also it installs the key into /etc/apt/trusted.gpg.d, > which is considered insecure and deprecated [1].) > > $ apt-key list > (...) > /etc/apt/trusted.gpg.d/debsuryorg-archive.gpg > --------------------------------------------- > pub rsa3072 2019-03-18 [SC] [expires: 2026-02-04] > 1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743 > uid [ unknown] DEB.SURY.ORG Automatic Signing Key <d...@sury.org> > sub rsa3072 2019-03-18 [E] [expires: 2026-02-04] > (...) > > (Or should I treat deb.sury.org, rather than the Launchpad PPA, as the > official repository for these packages?) > > Malcolm > > > [1] https://salsa.debian.org/apt-team/apt/-/raw/2.9.24/debian/NEWS > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
signature.asc
Description: Message signed with OpenPGP
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
