Re: Validation of keyring changes [was: Enhancing cross-distro collaboration via foreign archive keyring] availability

On Wed, Oct 16, 2024 at 08:48:25AM -0400, Neal Gompa wrote: > Question then: what makes archlinux-keyring or debian-*-keyring > packages different from distribution-gpg-keys? Shouldn't both of them > get kicked out of the Ubuntu archive for the same reason? This is not a valid comparison. I alread

Re: Validation of keyring changes [was: Enhancing cross-distro collaboration via foreign archive keyring] availability

On Wed, 16 Oct 2024 at 12:56, Robie Basak wrote: > > I don't have anything further to add to this sub-thread. I think I've > made valid points about what our requirements should be to ensure that > changes to key material are done in a way that our users can trust, why > not doing so would reduce

Re: [was: Enhancing cross-distro collaboration via foreign archive keyring availability]

On Wed, 16 Oct 2024 at 13:10, Robie Basak wrote: > > [Splitting into more than one sub-thread; this sub-thread is about the > architecture] > > On Wed, Sep 11, 2024 at 04:38:27PM +0200, Luca Boccassi wrote: > > Regarding the alternative proposal, unfortunately there are several > > show-stoppers:

Re: Validation of keyring changes [was: Enhancing cross-distro collaboration via foreign archive keyring] availability

On Wed, Oct 16, 2024 at 7:56 AM Robie Basak wrote: > > I don't have anything further to add to this sub-thread. I think I've > made valid points about what our requirements should be to ensure that > changes to key material are done in a way that our users can trust, why > not doing so would reduc

Re: Validation of keyring changes [was: Enhancing cross-distro collaboration via foreign archive keyring] availability

On Wed, Oct 16, 2024 at 9:13 AM Robie Basak wrote: > > On Wed, Oct 16, 2024 at 08:48:25AM -0400, Neal Gompa wrote: > > Question then: what makes archlinux-keyring or debian-*-keyring > > packages different from distribution-gpg-keys? Shouldn't both of them > > get kicked out of the Ubuntu archive

Re: Validation of keyring changes [was: Enhancing cross-distro collaboration via foreign archive keyring] availability

I don't have anything further to add to this sub-thread. I think I've made valid points about what our requirements should be to ensure that changes to key material are done in a way that our users can trust, why not doing so would reduce user security compared to what happens in Debian, and justif

[was: Enhancing cross-distro collaboration via foreign archive keyring availability]

[Splitting into more than one sub-thread; this sub-thread is about the architecture] On Wed, Sep 11, 2024 at 04:38:27PM +0200, Luca Boccassi wrote: > Regarding the alternative proposal, unfortunately there are several > show-stoppers: it essentially boils down to downloading stuff from the > inter