On Thu, Aug 23, 2018 at 05:59:45AM -0700, Sean Whitton wrote:
> Hello,
>
> On Tue 21 Aug 2018 at 10:25AM GMT, Peter Palfrader wrote:
>
> > I'm not convinced that 3rd party keyring packages belong in the Debian
> > archive.
> >
> > If the software itself is good and free, then it belongs into Debian
> > itself.
> >
> > However, we shouldn't start shipping random key material for various
> > other places that just happen to offer their software in a format that
> > is consumable by apt.
>
> Providing the keyrings just as data, and not automatically adding them
> as trusted by apt, might be useful for bootstrapping trust paths,
> however.
How will Debian provide and maintain such trust paths in stable?
If we ship it in a stable release, it is Debian that provides some
initial level of trust.
So far Debian has completely failed on properly vetting and
DSA-maintaining 3rd party keys in Debian releases.
> Sean Whitton
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
