Hi, On Sat, Nov 09, 2019 at 07:20:44PM +0200, Wouter Verhelst wrote: > Hi Timo, > > On Sun, Nov 03, 2019 at 07:33:10PM +0100, Timo Weingärtner wrote: > > Hallo Wouter Verhelst, > > > > 03.11.19 18:35 Wouter Verhelst: > > > The software from the package downloads the metadata index and validates > > > the GPG signature; and if everything checks out, adds configuration to > > > /etc/apt/sources.list.d and /etc/apt/trusted.gpg.d to enable the > > > repository. > > > > Please don't use /etc/apt/trusted* for 3rd-party repositories. If a key is > > in > > there its owner can impersonate the official debian repos for default > > setups.¹ > > Please use some other path (such as /var/lib/extrepo/keyrings/) for the > > keyrings and connect it with "Signed-By:" [1]. > > > > I just changed my /etc/apt/sources.list.d/debian.sources to have: > > Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg > > Thanks. I agree that makes sense; I've updated the code as such.
So, that has happened, and I have now also uploaded extrepo[1]. In order for this to acually be useful, I would need a bunch of repositories to be available through the "extrepo" command. In order for that to happen, I think the best thing to do (eventually) would be to have the maintainers of said external repositories to request for them to be added[2]. We'd then need a vetting procedure and a set of rules for things to be accepted. I've created a start for that at <https://salsa.debian.org/extrepo-team/extrepo-data>. Any comments? (as a side note, that repository also contains the metadata of the repositories which extrepo knows...) Thanks, [1] https://ftp-master.debian.org/new/extrepo_0.2.html [2] For the time being though, I've started creating a set of repositories. I'll probably add more in the next few days or weeks, as I encounter repositories that might be interesting to add. Long-term that is probably not the best idea, but short-term I want to have some critical mass of packages first... -- To the thief who stole my anti-depressants: I hope you're happy -- seen somewhere on the Internet on a photo of a billboard
