Package: wnpp Severity: wishlist Owner: Linda Lapinlampi <li...@lindalap.fi>
* Package name : matrix-archive-keyring Version : 2015.12.09 Upstream Author : The Matrix.org Foundation CIC <packa...@matrix.org> * URL : https://matrix.org/packages/debian/repo-key.asc * License : GPLv3+ (key: public domain) Programming Lang: Make, sh Description : OpenPGP archive key for the Matrix.org package repository The Matrix.org Debian package repository distributes digitally signed releases of Matrix.org related packages. This package contains the archive key used to verify those files, required by apt(8). matrix-archive-keyring will also attempt to harden the apt-secure(8) infrastructure by removing known previously installed (untrusted) Matrix.org archive key(s) from apt(8)'s global trust database, which have often been erroneously added via apt-key(8). ---- Hi, so there's few packages in Debian already such as matrix-synapse. [1] And then there's Debian packages from third-party Matrix.org and Riot.im package repositories at upstream. The issue: Signing keys added to /etc/apt/trusted.gpg{,.d} will be trusted by apt(8) for every repository, including Debian's main package repository. I'm currently seeing a "trend" on the Internet where tutorials and guides suggest to use "apt-key add" to install Matrix.org's package repository archive key recklessly without any regard to apt-secure(8). More so, Matrix.org links to one of these guides itself. [2] Riot.im (related to the same people running Matrix.org) also suggests "apt-key add". [3] Synapse 0.99.0's `INSTALL.md` guide suggests to download a key and add it via apt-key(8) too, [4] while this package is also available from Debian. The solution: A keyring package, as suggested by apt-secure(8). If the sysadmin wants to install from Matrix.org or Riot.im package repositories (instead of Debian's), fine. Who am I to argue? At least I I can make their life more convenient while hardening APT's security for everyone, while Debian doesn't have packages available for every upstream package yet. I have made this package install an OpenPGP-armored keyring to /usr/share/keyrings (instead of /etc/apt/trusted.gpg.d); I'm also using a db_install(8) postinst script to ensure that the keys in question don't show up in two keyrings at once. I will be also looking to configure debconf(1) to ask if the user also wants to install the appropriate sources.list(5) file for the Matrix.org and/or Riot.im repository with signed-by option. Packages similar to this one exist in Debian: ubuntu-keyring, leap-archive-keyring, pkg-mozilla-archive-keyring, etc. I will be looking for a sponsor. I know someone from the Matrix Packaging Team at Debian whom I'll be asking to kindly sponsor this package. If they refuse, I know where to ask. Thanks for your attention. [1]: https://wiki.debian.org/Matrix [2]: https://matrix.org/docs/guides/installing-synapse [3]: https://riot.im/desktop.html [4]: https://github.com/matrix-org/synapse/blob/release-v0.99.0/INSTALL.md