pull archive keyring out of global trust path #21
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The [repository instructions](https://wiki.debian.org/RepositoryInstructions) have been changed to avoid writing third-party keyring files to the global trust anchors (in `/etc/apt/trusted-gpg.d`) and instead write those to a more neutral location (`/usr/share/keyrings`, alongside other keyring files). The downside of this change is that the key fingerprint isn't validated directly through this process. But considering that validation of the key is anchored through HTTPS validation in the first place, we do not *really* lose anything by moving that to the `.gpg` file transfer: that file's integrity is still checked through HTTPS. Furthermore, not storing the explicit fingerprint here will make future key rotations easier as they will not require documentation updates. Note that this change will also require a change in the `grml-debian-keyring` package to install the keyring file in the new location. If that package does not install a `.sources` or `.list` file, that move will also break existing configurations, so a NEWS entry might be in order as well.
anarcat
added a commit
to anarcat/grml-debian-keyring
that referenced
this pull request
Feb 15, 2018
The [repository instructions][1] have been changed to avoid writing third-party keyring files to the global trust anchors (in `/etc/apt/trusted-gpg.d`) and instead write those to a more neutral location (`/usr/share/keyrings`, alongside other keyring files). [1]: https://wiki.debian.org/RepositoryInstructions The downside of this change is that the key fingerprint isn't validated directly through this process. But considering that validation of the key is anchored through HTTPS validation in the first place, we do not *really* lose anything by moving that to the `.gpg` file transfer: that file's integrity is still checked through HTTPS. Furthermore, not storing the explicit fingerprint here will make future key rotations easier as they will not require documentation updates. Note that this change will also require a change in the `grml-debian-keyring` package to install the keyring file in the new location. If that package does not install a `.sources` or `.list` file, that move will also break existing configurations, so a NEWS entry might be in order as well. This is related to the [proposed website documentation change][2] [2]: grml/grml.org#21
|
and grml/grml-debian-keyring#3 is the related change to the keyring thing. |
|
Pushed, thanks! 👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The repository instructions have been changed to avoid writing third-party keyring files to the global trust anchors (in
/etc/apt/trusted-gpg.d) and instead write those to a more neutral location (/usr/share/keyrings, alongside other keyring files).The downside of this change is that the key fingerprint isn't validated directly through this process. But considering that validation of the key is anchored through HTTPS validation in the first place, we do not really lose anything by moving that to the
.gpgfile transfer: that file's integrity is still checked through HTTPS. Furthermore, not storing the explicit fingerprint here will make future key rotations easier as they will not require documentation updates.Note that this change will also require a change in the
grml-debian-keyringpackage to install the keyring file in the new location. If that package does not install a.sourcesor.listfile, that move will also break existing configurations, so a NEWS entry might be in order as well.This is a followup for #13.