On Tue, Aug 21, 2018 at 1:21 PM, Kentaro Hayashi wrote: > I want to make 3rd party keyring package (ITP). In the advance, I > want to know a best practice about *keyring* packaging. Any hints?
There are some best practices for using 3rd party apt repos here: https://wiki.debian.org/DebianRepository/UseThirdParty > sudo apt install -y -V --allow-unauthenticated foobar-keyring > This is reasonable because there is no correct key yet before > installing it. I don't think this is appropriate at all. Instead, always use an out-of-band mechanism for confirming the appropriate OpenPGP keys. Having the keyring package in Debian itself is a good idea, but at very bare minimum, download the key or fingerprint from a website that uses a valid TLS certificate according to the X.509 CA trust model. > So, I plan to make one more 3rd party keryring into Debian. That seems like a reasonable way to provide a secure mechanism to install it. -- bye, pabs https://wiki.debian.org/PaulWise
