AW: AW: Users GnuPG aims for? (Re: Breaking MIME concatenation)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu May 17 21:58:17 CEST 2018
On Thu 2018-05-17 15:37:55 +0000, Fiedler Roman wrote:
> Von: Daniel Kahn Gillmor [mailto:dkg at fifthhorseman.net]
>
>> See sources.list(5) and
>> https://wiki.debian.org/DebianRepository/UseThirdParty for more details.
>>
>> See also https://bugs.debian.org/877012 for suggestions about
>> improvements to scoped cryptographic authorities for the default
>> installation of debian repositories.
>
> Thanks for the information. I thought, that the new model would be
> using "/etc/apt/trusted.gpg.d", as recommended by an online version of
> "apt-key".
I recommend not relying directly on apt-key, whether online or offline :)
> But of course the per-repository pinning of keys could make key
> management easier as there is a n:1 link between repositories and
> keys, thus it is easier to avoid stale keys in the common key storage
> file.
yes. furthermore, per-repository pinning of keys avoids the possibility
of one repository owner signing a Release file for a different
repository. This paves the way for a local administrator to put
meaningful constraints on a given external repository (e.g. pinning
which packages can be shipped from that repo, or restricting maintainer
scripts from running).
I welcome any and all help in continuing to drive the ecosystem down
this path.
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180517/a415735b/attachment.sig>
More information about the Gnupg-users
mailing list