<shengjing.zhu@canonical.com> wrote:
>
> On Wed, Sep 11, 2024 at 1:12 AM Robie Basak <robie.basak@ubuntu.com> wrote:
> > But if all we're doing is taking the keys from other places and updating
> > them in Ubuntu, validated by some process that ultimately relies on some
> > set of people to assert that the keys are correct, then what are we
> > achieving anyway? Can this not just be automated then, and tooling be
> > provided in the archive instead, so users can just do that directly when
> > they need? Then there would be much reduced burden on maintainence,
> > including for the relevant privileged review teams.
>
> I don't see the problem of putting a slight burden on the review
> teams, if there is a tool/process to update, review and validate the
> content of the keyring.
> If the distro maintainers can save users' burden then why not? In the
> current implementation, users can just update the keyring by running
> `apt update`. It's simple and easy for users.
>
I agree with this point. I think Luca has explained why the current
architecture is appropriate here, and it sounds like the updates to
these packages would be infrequent. So, in my opinion, a pretty
straightforward addition to "Documentation for Special Cases" is all
we need here.
-Nick
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel