On Wed, Oct 16, 2024 at 9:13 AM Robie Basak <robie.ba...@ubuntu.com> wrote: > > On Wed, Oct 16, 2024 at 08:48:25AM -0400, Neal Gompa wrote: > > Question then: what makes archlinux-keyring or debian-*-keyring > > packages different from distribution-gpg-keys? Shouldn't both of them > > get kicked out of the Ubuntu archive for the same reason? > > This is not a valid comparison. I already covered this in a previous > reply[1]. Note though that I made no suggestion that any package should > get "kicked out". I was only referring to SRUs. >
I know you didn't, but if they can't be updated ever, then they shouldn't be in the archive in the first place. Strictly speaking, keyring packages that cannot be updated are much worse than having them at all. It lures people into a false sense of security, especially around verifying the integrity of content using those keys. If we apply the same standard to all keyring packages used to manage and verify software, then keyring packages that cannot be updated need to be kicked out, because it's extremely important that they can be updated. Incidentally, as a member of distribution-gpg-keys upstream, my only real ask for any distribution shipping is to not fork the sources as part of packaging it. In Debian terms, that means don't use the typical git-buildpackage workflow that creates an exploded git source tree and merges a debian folder into that source tree. That makes it really hard to determine whether someone has mucked around with the sources as part of packaging it. If Ubuntu (or any distribution) decides to make it hard to update keyring packages, I would rather you didn't package it at all and remove them from the archive. It does a disservice to users of that distribution if they can't be updated post-GA. -- Neal Gompa (FAS: ngompa) -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
