Gunnar Wolf writes ("Re: Bug#1102125: debian-keyring: Please add tag2upload
oracle service key"):
> If you are building a new package, take note: we are currently discussing
> #1101418, and one of the things that's on our roadmap is to rename *.gpg to
> *.pgp (because... reasons...), so I invite you to use such nomenclature for
> the proposed package.
Just to make sure I've understood correctly.
You're saying we should ship this filename
/usr/share/keyrings/debian-tag2upload.pgp
But still presumably containing the keyring in the gnupg-genereated
format we have it?
The package would be debian-tag2upload-keyring.deb, which devscripts
(the home of dscverify) would need to to Recommend.
I've chatted with Sean a bit and I think we probably want this to be
its own source package.
> I am a bit biased against distributing keys via .deb packages. Of course,
> it makes sense to have Debian systems' verification self-contained for our
> castaway on their deserted islands, but it brings its host of issues with
> it.
Mmmm.
This particular key is not likely to need to change very often. We
might choose to roll it over. A more likely scenario is that we want
to do postquantum (but I believe that would need a new hardware
token).
> However, yes, having a .deb makes it somewhat easier to check for
> signatures made at a given point in time, even if the relevant key is no
> longer in use. For your suggested uses, I think finding a way to encode
> validity periods for a given key via ways other than its expiration date
> might be important.
These issues afflict dscverify(1) already. I think we are happy if we
can achieve parity there with the situation for other source packages.
(In fact I think we'll do better in practice because this key changes
less.)
Perhaps we should consider if we want to extend the validity period on
the key, as published in this new .deb, before the trixie release.
But ISTM that key lifetime extension could be done via stable updates
(and even via LTS) but we probably want to minimise the amount of
churn.
Thanks,
Ian.
--
Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
