Package: release-notes Severity: normal The project really needs to make its mind up which way it is going in terms of managing repo keys.
The bullseye release notes, e.g. 5.3.2. Deprecated components for bullseye make reference to "Keys should be managed by dropping files into /etc/apt/trusted.gpg.d" But this seems to contravene current Debian policy as stated elsewhere, namely: "The key MUST be downloaded over a secure mechanism like HTTPS to a location only writable by root, which SHOULD be /usr/share/keyrings. The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add. A sources.list entry SHOULD have the signed-by option set. The signed-by entry MUST point to a file, and not a fingerprint." Source: 1. https://wiki.debian.org/DebianRepository/UseThirdParty 2. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861695 3. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877012 Please don't confuse people by encouraging different methods in different docs !
