AW: AW: Users GnuPG aims for? (Re: Breaking MIME concatenation)

Daniel Kahn Gillmor dkg at
Thu May 17 21:58:17 CEST 2018

On Thu 2018-05-17 15:37:55 +0000, Fiedler Roman wrote:
> Von: Daniel Kahn Gillmor [mailto:dkg at]
>> See sources.list(5) and
>> for more details.
>> See also for suggestions about
>> improvements to scoped cryptographic authorities for the default
>> installation of debian repositories.
> Thanks for the information. I thought, that the new model would be
> using "/etc/apt/trusted.gpg.d", as recommended by an online version of
> "apt-key".

I recommend not relying directly on apt-key, whether online or offline :)

> But of course the per-repository pinning of keys could make key
> management easier as there is a n:1 link between repositories and
> keys, thus it is easier to avoid stale keys in the common key storage
> file.

yes.  furthermore, per-repository pinning of keys avoids the possibility
of one repository owner signing a Release file for a different
repository.  This paves the way for a local administrator to put
meaningful constraints on a given external repository (e.g. pinning
which packages can be shipped from that repo, or restricting maintainer
scripts from running).

I welcome any and all help in continuing to drive the ecosystem down
this path.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list