>
> On Wed, Oct 16, 2024 at 08:48:25AM -0400, Neal Gompa wrote:
> > Question then: what makes archlinux-keyring or debian-*-keyring
> > packages different from distribution-gpg-keys? Shouldn't both of them
> > get kicked out of the Ubuntu archive for the same reason?
>
> This is not a valid comparison. I already covered this in a previous
> reply[1]. Note though that I made no suggestion that any package should
> get "kicked out". I was only referring to SRUs.
>
I know you didn't, but if they can't be updated ever, then they
shouldn't be in the archive in the first place. Strictly speaking,
keyring packages that cannot be updated are much worse than having
them at all. It lures people into a false sense of security,
especially around verifying the integrity of content using those keys.
If we apply the same standard to all keyring packages used to manage
and verify software, then keyring packages that cannot be updated need
to be kicked out, because it's extremely important that they can be
updated.
Incidentally, as a member of distribution-gpg-keys upstream, my only
real ask for any distribution shipping is to not fork the sources as
part of packaging it. In Debian terms, that means don't use the
typical git-buildpackage workflow that creates an exploded git source
tree and merges a debian folder into that source tree. That makes it
really hard to determine whether someone has mucked around with the
sources as part of packaging it.
If Ubuntu (or any distribution) decides to make it hard to update
keyring packages, I would rather you didn't package it at all and
remove them from the archive. It does a disservice to users of that
distribution if they can't be updated post-GA.
--
Neal Gompa (FAS: ngompa)
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
