pull archive keyring out of global trust path #21
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The repository instructions have been changed to avoid writing third-party keyring files to the global trust anchors (in
/etc/apt/trusted-gpg.d
) and instead write those to a more neutral location (/usr/share/keyrings
, alongside other keyring files).The downside of this change is that the key fingerprint isn't validated directly through this process. But considering that validation of the key is anchored through HTTPS validation in the first place, we do not really lose anything by moving that to the
.gpg
file transfer: that file's integrity is still checked through HTTPS. Furthermore, not storing the explicit fingerprint here will make future key rotations easier as they will not require documentation updates.Note that this change will also require a change in the
grml-debian-keyring
package to install the keyring file in the new location. If that package does not install a.sources
or.list
file, that move will also break existing configurations, so a NEWS entry might be in order as well.This is a followup for #13.