Tollef Fog Heen writes: > [Ian Jackson writes:] > >> [Micha Lenk wrote:] > >> > When did it get backported to oldstable for use on > >> > fasolo.debian.org? > >> > I haven't seen it in the oldbackports-new queue yet. ... > > I wasn't aware that the intent was to provide this key to dak via > > this .deb. Our intent with the package was to provide it to > > programs like dscverify on end-user systems. But, OK. > > No, not ok.
Hi. I'm afraid found this response rather unfriendly. Perhaps this is a linguistic problem. In British English "But, OK" implies acquiescence, not necessasrily endorsement or enthusiasm. And your "not ok" feels like criticism not only of the idea, but somehow also of me, for entertaining this notion. Just to be clear, Sean and I don't have an opinion about how this should be done. The notion of providing the key to fasolo via a .deb was suggested here in this thread by Micha [0]. I don't know where Micha got that idea from. Sean and my replies in this subthread were just trying to provide information, and avoid any needless difficulty. Sean and I were just trying to be cooperative and helpful, not endorse or promote this particular way of handling the key. Indeed, I deliberately omitted my own qualms about that approach. I don't know what the FTP Team's plans are for how this key should be provided to fasolo, because they haven't communicated with us on a technical level, at all. (There are no private emails with useful technical collaboration - absolutely everything is here on the list.) > We already have a keyring distribution mechanism for > keyrings that live on keyring.d.o. Please use that one. ... > I believe the setup for that syncing is managed by keyring-maint, > but I could be wrong about that. We had a conversation with keyring-maint. They told us that they didn't think including this public key in the debian-keyring pakage was appropriate [1]. Given that keyring.d.o "only deals with keys for Debian project Member [sic]" [2] (which the tag2upload service isn't) that doesn't seem appropriate either. gideon, the dgit-repos git server, also needs this public key. We chose to treat this keey as part of the service configuration. [3] In my draft minimal patch to dak to honour the tag2upload key [4] I did the same, There may well be a better and less ad-hoc way. My main goal is not to get hung up on this question, since it doesn't seem like the most important issue and it seems like different people all have different ideas. TBH it is frustrating to me that this side issue seems to be causing such a lot of debate, especially given that one of the key stakeholders (the FTP Team) is not participating at all. > Installing packages from backports from the wrong distribution > (relative to what the host is running) will not fill us with joy. I quite understand that. > There's no way to get a package into oldstable-backports now. Thanks for the information. To be clear, the reason we introduced debian-tag2upload-keyring, and backported it to stable-backports, is to support dscverify and dpkg-source [5] being able to verify tag2upload-generated source packages, not for relying entities on DSA systems. The .deb being installable on older releases is desirable for the same reasons as we make modern dgit.deb installable on older releases: for the benefit of downstream users who may be using old distros. If that .deb is also useful to provide the key on fasolo then that's fine by me, although it seems a suboptimal approach. If the FTP Team and DSA don't think it's useful for that, and want to do it some other way, then that's fine too. Thanks, Ian. [0] https://lists.debian.org/debian-vote/2025/04/msg00067.html [1] https://bugs.debian.org/1102125 [2] https://keyring.debian.org/ last paragraph [3] https://salsa.debian.org/dgit-team/dgit-infra-config/-/blob/master/debian-tag2upload.gpg [4] https://salsa.debian.org/iwj/dak/-/commits/t2u-minimal [5] https://salsa.debian.org/debian/devscripts/-/merge_requests/502#note_609377 -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
