provide the OpenPGP trust anchor as a binary file #6
Comments
|
This seems reasonable, yes. |
|
As a side note, I'd be happy to work with someone Debian savvy to get this into the repo proper, and to build a proper Debian source package. The current package builds are certainly not Debian-standard, but roughly get the job done as easily as possible. :) I know the Syncthing build process intimately, but got lost when trying to create a proper, working, Debian source package of this. |
|
@calmh then you may want to get in touch with the people behind the ITP at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749887 :) otherwise, the typical way of getting reviews is to upload the package to mentors.debian.net, and ask for a RFS (Request For Sponsorship) on the Debian bugtracker ( i'd be happy to help if the current owners of the ITP are not available. |
|
Yeah, no, providing binary packages on apt.syncthing.net works for me. I have no intention of trying again to build the full package thing from source and interact with the Debian organization. But I'll happily handhold anyone who wishes to do so on all the technical aspects of building Syncthing properly. |
|
Well, you don't have to get into the full bureaucracy - just send an email to |
|
You misunderstand me. I'll try to be as clear as possible. I'm not working on creating a Debian package of Syncthing and probably never will be - my time is much better spent on things I understand and appreciate working with. As such I don't need any help with creating a Debian package. However if someone else is working on building a better package, and for any reason get stuck on the aspects of building Syncthing, I'll be happy to assist. Now, lets let this issue be for the PGP key and move any further discussion to the forum. Perhaps there is someone else there that would be happy sink their teeth into building a package for Debian proper. |
|
On 2016-03-17 10:53:28, Jakob Borg wrote:
I fully understand. :)
In my opinion, the proper forum is email, and the link I mentionned a. My passionate sense of social justice and social responsibility has |
The Debian/Ubuntu install instructions indicate we should run:
While this is good, it's not considered best practice. Apart from verifying the key (which should be done separately, and is a whole different set of problems), the key should not be added to the global trust anchor in
/etc/apt/trusted.gpg(whichapt-key add -does). This makes it more difficult to track which package added which key, as this file can grow big and unmaintained.A better way would be:
It involves less commandline knowledge (no pipeline), is a single command, and will make the OpenPGP certificate end up in a separate file, distinct from all the others.
This is how Ubuntu PPAs manage their keys as well, and is considered a better practice than piping stuff through
apt-key.Note how the file name change: the
.gpgfile is not an ascii-armored file (as produced bygpg --export --armor) but a binary OpenPGP file. This is also expected (and will break APT if used with thetxtfile).Ideally, there would be a PPA for Syncthing or it would just enter Debian already, but works still seems to be underway there (see bug #749887 in the Debian BTS).
Note: moved from syncthing/syncthing#2843
The text was updated successfully, but these errors were encountered: