Debian Bug report logs - #480478
RFP: debian-backports-keyring -- GnuPG archive key of the backports.org repository

Package: wnpp; Maintainer for wnpp is wnpp@debian.org;

Reported by: Robert Millan <rmh@aybabtu.com>

Date: Sat, 10 May 2008 11:09:01 UTC

Severity: wishlist

Done: Gerfried Fuchs <rhonda@deb.at>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#480478; Package debian-backports-keyring. Full text and rfc822 format available.

Acknowledgement sent to Robert Millan <rmh@aybabtu.com>:
New Bug report received and forwarded. Copy sent to unknown-package@qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Robert Millan <rmh@aybabtu.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: trust chain is broken; please get this in lenny
Date: Sat, 10 May 2008 13:06:21 +0200
Package: debian-backports-keyring
Version: 2007.06.10
Severity: wishlist

[ Not sure if the BTS groks backports.org.  Maybe it gets confused and asks
  someone for help, but I suppose this is the best way to find out, anyway
  (Martin, sorry for the nuissance if you read this). ]

Well, to the point.  The fact that the package providing a key to validate
packages from bpo is itself a bpo package, kinda defeats the point.  It's
only useful to shut up APT warnings AFAICS.

Please, consider uploading this to sid, so that it is included in lenny and
a complete trust chain from lenny to bpo can be used.

Thanks!

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8)




Information forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#480478; Package debian-backports-keyring. Full text and rfc822 format available.

Acknowledgement sent to Martin Michlmayr <tbm@cyrius.com>:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org. Full text and rfc822 format available.

Message #10 received at 480478@bugs.debian.org (full text, mbox):

From: Martin Michlmayr <tbm@cyrius.com>
To: Robert Millan <rmh@aybabtu.com>, 480478@bugs.debian.org
Cc: Alexander Wirt <formorer@debian.org>
Subject: Re: Bug#480478: trust chain is broken; please get this in lenny
Date: Sat, 10 May 2008 20:13:50 +0200
* Robert Millan <rmh@aybabtu.com> [2008-05-10 13:06]:
> Package: debian-backports-keyring
> Version: 2007.06.10
> Severity: wishlist
> 
> [ Not sure if the BTS groks backports.org.  Maybe it gets confused and asks
>   someone for help, but I suppose this is the best way to find out, anyway
>   (Martin, sorry for the nuissance if you read this). ]

No, the BTS doesn't know about it.  Let's CC Alexander.

> Well, to the point.  The fact that the package providing a key to validate
> packages from bpo is itself a bpo package, kinda defeats the point.  It's
> only useful to shut up APT warnings AFAICS.
> 
> Please, consider uploading this to sid, so that it is included in lenny and
> a complete trust chain from lenny to bpo can be used.
> 
> Thanks!
> 
> -- System Information:
> Debian Release: 4.0
>   APT prefers stable
>   APT policy: (500, 'stable')
> Architecture: amd64 (x86_64)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.18-6-amd64
> Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8)
> 

-- 
Martin Michlmayr
http://www.cyrius.com/




Reply sent to Martin Michlmayr <tbm@cyrius.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Robert Millan <rmh@aybabtu.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 480478-done@bugs.debian.org (full text, mbox):

From: Martin Michlmayr <tbm@cyrius.com>
To: 480478-done@bugs.debian.org
Subject: not in Debian
Date: Fri, 20 Jun 2008 19:49:07 +0200
Closing.
-- 
Martin Michlmayr
http://www.cyrius.com/




Information forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#480478; Package debian-backports-keyring. Full text and rfc822 format available.

Message #18 received at 480478@bugs.debian.org (full text, mbox):

From: Robert Millan <rmh@aybabtu.com>
To: 480478@bugs.debian.org
Cc: Alexander Wirt <formorer@debian.org>, debian-devel@lists.debian.org
Subject: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Date: Sat, 21 Jun 2008 14:27:48 +0200
reopen 480478
retitle 480478 ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
reassign 480478 wnpp
thanks

* Package name    : debian-backports-keyring
* URL             : http://backports.org/debian/pool/main/d/debian-backports-keyring/
* License         : GPLv2+
  Description     : GnuPG archive key of the backports.org repository

Alexander, please let me know if you have any objection to this key being
added to the archive, or if you would like to be the maintainer for this
package or just the upstream (either way is fine with me).

-- 
Robert Millan

<GPLv2> I know my rights; I want my phone call!
<DRM> What good is a phone call… if you are unable to speak?
(as seen on /.)




Bug reopened, originator not changed. Request was from Robert Millan <rmh@aybabtu.com> to control@bugs.debian.org. (Sat, 21 Jun 2008 12:30:04 GMT) Full text and rfc822 format available.

Changed Bug title to `ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository' from `trust chain is broken; please get this in lenny'. Request was from Robert Millan <rmh@aybabtu.com> to control@bugs.debian.org. (Sat, 21 Jun 2008 12:30:05 GMT) Full text and rfc822 format available.

Bug reassigned from package `debian-backports-keyring' to `wnpp'. Request was from Robert Millan <rmh@aybabtu.com> to control@bugs.debian.org. (Sat, 21 Jun 2008 12:30:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#480478; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Alexander Wirt <formorer@debian.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. Full text and rfc822 format available.

Message #29 received at 480478@bugs.debian.org (full text, mbox):

From: Alexander Wirt <formorer@debian.org>
To: Robert Millan <rmh@aybabtu.com>
Cc: 480478@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Date: Sat, 21 Jun 2008 15:52:12 +0200
Robert Millan schrieb am Saturday, den 21. June 2008:

> reopen 480478
> retitle 480478 ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
> reassign 480478 wnpp
> thanks
> 
> * Package name    : debian-backports-keyring
> * URL             : http://backports.org/debian/pool/main/d/debian-backports-keyring/
> * License         : GPLv2+
>   Description     : GnuPG archive key of the backports.org repository
> 
> Alexander, please let me know if you have any objection to this key being
> added to the archive, or if you would like to be the maintainer for this
> package or just the upstream (either way is fine with me).
I'm still not that sure if its a good idea to add a non-offical debian repo
keyring into the archive... But I let the decision to the ftp-masters..

Alex





Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#480478; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. Full text and rfc822 format available.

Message #34 received at 480478@bugs.debian.org (full text, mbox):

From: Holger Levsen <holger@layer-acht.org>
To: debian-devel@lists.debian.org
Cc: 480478@bugs.debian.org
Subject: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Date: Sat, 21 Jun 2008 19:34:59 +0200
[Message part 1 (text/plain, inline)]
Hi,

On Saturday 21 June 2008 15:52, Alexander Wirt wrote:
> I'm still not that sure if its a good idea to add a non-offical debian repo
> keyring into the archive... 

Nobody is forced to install it?!

And AFAICS we regulary recommend backports.org to users, who need newer 
software. So I think it should be in.


regards,
	Holger
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#480478; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Roberto C. Sánchez <roberto@connexer.com>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. Full text and rfc822 format available.

Message #39 received at 480478@bugs.debian.org (full text, mbox):

From: Roberto C. Sánchez <roberto@connexer.com>
To: debian-devel@lists.debian.org
Cc: 480478@bugs.debian.org
Subject: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Date: Sat, 21 Jun 2008 13:38:07 -0400
[Message part 1 (text/plain, inline)]
On Sat, Jun 21, 2008 at 07:34:59PM +0200, Holger Levsen wrote:
> Hi,
> 
> On Saturday 21 June 2008 15:52, Alexander Wirt wrote:
> > I'm still not that sure if its a good idea to add a non-offical debian repo
> > keyring into the archive... 
> 
> Nobody is forced to install it?!
> 
> And AFAICS we regulary recommend backports.org to users, who need newer 
> software. So I think it should be in.
> 
But backports.org is still unofficial.  If it were permitted, then what
would happen when other unofficial repository maintainers want to
package their repository keyrings?  Will those be allowed or disallowed?

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#480478; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Michael Tautschnig <mt@debian.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. Full text and rfc822 format available.

Message #44 received at 480478@bugs.debian.org (full text, mbox):

From: Michael Tautschnig <mt@debian.org>
To: debian-devel@lists.debian.org, 480478@bugs.debian.org
Subject: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Date: Sat, 21 Jun 2008 20:12:01 +0200
[Message part 1 (text/plain, inline)]
> On Sat, Jun 21, 2008 at 07:34:59PM +0200, Holger Levsen wrote:
> > Hi,
> > 
> > On Saturday 21 June 2008 15:52, Alexander Wirt wrote:
> > > I'm still not that sure if its a good idea to add a non-offical debian repo
> > > keyring into the archive... 
> > 
> > Nobody is forced to install it?!
> > 
> > And AFAICS we regulary recommend backports.org to users, who need newer 
> > software. So I think it should be in.
> > 
> But backports.org is still unofficial.  If it were permitted, then what
> would happen when other unofficial repository maintainers want to
> package their repository keyrings?  Will those be allowed or disallowed?
>

What's wrong with packaging a keyring? Does a keyring package differ in any way
from a "normal" (whatever that is...) package? It installs some files and in
some sense modifies your system. It does not download any software itself, so
what?

Best,
Michael

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#480478; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to "Wesley J. Landaker" <wjl@icecavern.net>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. Full text and rfc822 format available.

Message #49 received at 480478@bugs.debian.org (full text, mbox):

From: "Wesley J. Landaker" <wjl@icecavern.net>
To: debian-devel@lists.debian.org
Cc: 480478@bugs.debian.org
Subject: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Date: Sat, 21 Jun 2008 12:17:47 -0600
[Message part 1 (text/plain, inline)]
On Saturday 21 June 2008 11:38:07 Roberto C. Sánchez wrote:
> On Sat, Jun 21, 2008 at 07:34:59PM +0200, Holger Levsen wrote:
> > Hi,
> >
> > On Saturday 21 June 2008 15:52, Alexander Wirt wrote:
> > > I'm still not that sure if its a good idea to add a non-offical
> > > debian repo keyring into the archive...
> >
> > Nobody is forced to install it?!
> >
> > And AFAICS we regulary recommend backports.org to users, who need newer
> > software. So I think it should be in.
>
> But backports.org is still unofficial.  If it were permitted, then what
> would happen when other unofficial repository maintainers want to
> package their repository keyrings?  Will those be allowed or disallowed?

Maybe a common, group maintained, debian-unofficial-keyring package?

-- 
Wesley J. Landaker <wjl@icecavern.net> <xmpp:wjl@icecavern.net>
OpenPGP FP: 4135 2A3B 4726 ACC5 9094  0097 F0A9 8A4C 4CD6 E3D2
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#480478; Package wnpp. Full text and rfc822 format available.

Message #52 received at 480478@bugs.debian.org (full text, mbox):

From: Robert Millan <rmh@aybabtu.com>
To: 480478@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Date: Sun, 22 Jun 2008 01:02:54 +0200
On Sat, Jun 21, 2008 at 03:52:12PM +0200, Alexander Wirt wrote:
> I'm still not that sure if its a good idea to add a non-offical debian repo
> keyring into the archive... But I let the decision to the ftp-masters..

Well, currently a problem is the only way to get a trusted path to the bpo
repository is by fetching debian-backports-keyring from it, checking your
signature in its .dsc, etc.  So this is what I'm trying to solve.

As for being non-official, I can try to make it clear in the package
description that this key isn't officially endorsed by Debian, etc; does
this sound fine to you?

-- 
Robert Millan

<GPLv2> I know my rights; I want my phone call!
<DRM> What good is a phone call… if you are unable to speak?
(as seen on /.)




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#480478; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Patrick Schoenfeld <schoenfeld@in-medias-res.com>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. Full text and rfc822 format available.

Message #57 received at 480478@bugs.debian.org (full text, mbox):

From: Patrick Schoenfeld <schoenfeld@in-medias-res.com>
To: debian-devel@lists.debian.org, 480478@bugs.debian.org
Subject: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Date: Sun, 22 Jun 2008 18:14:25 +0200
Hi,

On Sat, Jun 21, 2008 at 01:38:07PM -0400, Roberto C. Sánchez wrote:
> But backports.org is still unofficial.

so what? Its unofficial, but still its of great use for the most Debian
users.

> If it were permitted, then what
> would happen when other unofficial repository maintainers want to
> package their repository keyrings?  Will those be allowed or disallowed?

In my humble opinion they should be allowed to be packaged as if they
are normal packages. Don't get me wrong, but Debian is a distribution,
so what we basically do is pack up things that are worth distributing
and distribute them. This way Debian users can benefit from our work and
ofcourse upstreams work. It would be the same for other keyrings. Its
for the benefit of a larger audience of Debian users. Ofcourse this
is not true for every keyring out there. So my approach isn't to let
every keyring into the archive, but decide on case to case. Similar to
whats beeing done with usual packages.
Its already common for usual packages that they shouldn't be added
if they don't provide benefit to *some* Debian users, like tools
for a common goal which is already solved well and good by a
lot of other tools in the archive.

Best Regards,
Patrick




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#480478; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Adam Majer <adamm@zombino.com>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. Full text and rfc822 format available.

Message #62 received at 480478@bugs.debian.org (full text, mbox):

From: Adam Majer <adamm@zombino.com>
Cc: debian-devel@lists.debian.org, 480478@bugs.debian.org
Subject: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Date: Sun, 22 Jun 2008 13:08:30 -0500
Patrick Schoenfeld wrote:
> In my humble opinion they should be allowed to be packaged as if they
> are normal packages. Don't get me wrong, but Debian is a distribution,
> so what we basically do is pack up things that are worth distributing
> and distribute them. This way Debian users can benefit from our work and

AFAIK, we do not distribute "things", we distribute *software*. Some
packages are just composed of data though, but other packages depend on
it. Some is just data that is very useful in the *Debian* project. This
includes the keyring.

Certainly, the backports.org keyring is useful to some people, *but* it is,

  1. not free software
  2. free software does not depend on it
  3. not part of Debian's important data stuff

If backports.org keyring get distributed, then I would argue it allows
others, non-software data to be packaged as well. For example, some free
anime movies, or the Gutenberg project packages.

Debian is for *free software* (and some non-free) and stuff that related
to Debian. It is not for backports.org, or Ubuntu, or some other stuff.

- Adam




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#480478; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Goswin von Brederlow <goswin-v-b@web.de>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. Full text and rfc822 format available.

Message #67 received at 480478@bugs.debian.org (full text, mbox):

From: Goswin von Brederlow <goswin-v-b@web.de>
To: Adam Majer <adamm@zombino.com>
Cc: debian-devel@lists.debian.org, 480478@bugs.debian.org
Subject: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Date: Sun, 22 Jun 2008 21:37:46 +0200
Adam Majer <adamm@zombino.com> writes:

> If backports.org keyring get distributed, then I would argue it allows
> others, non-software data to be packaged as well. For example, some free
> anime movies, or the Gutenberg project packages.
>
> Debian is for *free software* (and some non-free) and stuff that related
> to Debian. It is not for backports.org, or Ubuntu, or some other stuff.
>
> - Adam

I would argue that backports.org, while not official, is verry much
related to Debian and having a secure path to the keyring is to great
benefit to debian users. Such a keyring is also verry small.

Three things you can't say about free anime movies or the Gutenberg
project packages.

MfG
        Goswin

PS: I would prefer if apt-get could fetch and verify keyring updates
directly from a repository though. Keyring packages are awfull for key
rollovers.




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#480478; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. Full text and rfc822 format available.

Message #72 received at 480478@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: Robert Millan <rmh@aybabtu.com>
Cc: 480478@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Date: Sun, 22 Jun 2008 22:34:15 +0200
Robert Millan wrote:
> On Sat, Jun 21, 2008 at 03:52:12PM +0200, Alexander Wirt wrote:
>> I'm still not that sure if its a good idea to add a non-offical debian repo
>> keyring into the archive... But I let the decision to the ftp-masters..
> 
> Well, currently a problem is the only way to get a trusted path to the bpo
> repository is by fetching debian-backports-keyring from it, checking your
> signature in its .dsc, etc.  So this is what I'm trying to solve.

Hmm, are there not 2 other ways documented on backports.org as you can
see below?

Cheers

Luk

--------------------------
 If you are using etch and you want apt to verify the downloaded
backports you can import backports.org archive’s key into apt:

apt-get install debian-backports-keyring

or

gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C
gpg --export | apt-key add -

or

wget -O - http://backports.org/debian/archive.key | apt-key add -
--------------------------




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#480478; Package wnpp. Full text and rfc822 format available.

Message #75 received at 480478@bugs.debian.org (full text, mbox):

From: Robert Millan <rmh@aybabtu.com>
To: Luk Claes <luk@debian.org>
Cc: 480478@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Date: Sun, 22 Jun 2008 23:19:57 +0200
On Sun, Jun 22, 2008 at 10:34:15PM +0200, Luk Claes wrote:
> Robert Millan wrote:
> > On Sat, Jun 21, 2008 at 03:52:12PM +0200, Alexander Wirt wrote:
> >> I'm still not that sure if its a good idea to add a non-offical debian repo
> >> keyring into the archive... But I let the decision to the ftp-masters..
> > 
> > Well, currently a problem is the only way to get a trusted path to the bpo
> > repository is by fetching debian-backports-keyring from it, checking your
> > signature in its .dsc, etc.  So this is what I'm trying to solve.
> 
> Hmm, are there not 2 other ways documented on backports.org as you can
> see below?
> --------------------------
>  If you are using etch and you want apt to verify the downloaded
> backports you can import backports.org archive’s key into apt:
> 
> apt-get install debian-backports-keyring
> 
> or
> 
> gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C
> gpg --export | apt-key add -
> 
> or
> 
> wget -O - http://backports.org/debian/archive.key | apt-key add -
> --------------------------

These examples just add the key to apt's keyring, but they don't provide any
trusted path to it.  One has to blindly believe that the key being downloaded
by apt-get, gpg [1] or wget belongs to its owner.

[1] In the gpg example, you could happen to have a trusted key in your database
    that provides a trusted path to bpo's key, but for the average user this is
    IMHO not an acceptable solution.

-- 
Robert Millan

<GPLv2> I know my rights; I want my phone call!
<DRM> What good is a phone call… if you are unable to speak?
(as seen on /.)




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#480478; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Brian May <brian@microcomaustralia.com.au>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. Full text and rfc822 format available.

Message #80 received at 480478@bugs.debian.org (full text, mbox):

From: Brian May <brian@microcomaustralia.com.au>
To: Adam Majer <adamm@zombino.com>
Cc: debian-devel@lists.debian.org, 480478@bugs.debian.org
Subject: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Date: Mon, 23 Jun 2008 11:35:20 +1000
Adam Majer wrote:
> Certainly, the backports.org keyring is useful to some people, *but* it is,
>
>   1. not free software
>   
Presumably the following packages would never have made it into Debian 
if a public key didn't comply with the DFSG.

debian-archive-keyring - GnuPG archive keys of the Debian archive
debian-edu-archive-keyring - GnuPG archive keys of the Debian Edu archive
debian-keyring - GnuPG (and obsolete PGP) keys of Debian Developers
debian-maintainers - GPG keys of Debian maintainers
emdebian-archive-keyring - GnuPG archive keys for the emdebian repository

Having said that, having one entire package for one key file seems like 
overkill to me; is there not any other way of securely distributing the key?

Brian May




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#480478; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Brian May <brian@microcomaustralia.com.au>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. Full text and rfc822 format available.

Message #85 received at 480478@bugs.debian.org (full text, mbox):

From: Brian May <brian@microcomaustralia.com.au>
To: Luk Claes <luk@debian.org>
Cc: Robert Millan <rmh@aybabtu.com>, 480478@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Date: Mon, 23 Jun 2008 11:39:36 +1000
Luk Claes wrote:
> apt-get install debian-backports-keyring
>
> or
>
> gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C
> gpg --export | apt-key add -
>   
This involves 3 separate commands, and modifies files under 
/root/.gnupg/ at the same time. Seems overly complicated, especially for 
non-technical people. Would it be possible to simplify this?
> or
>
> wget -O - http://backports.org/debian/archive.key | apt-key add -
>   
Brian May




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#480478; Package wnpp. Full text and rfc822 format available.

Message #88 received at 480478@bugs.debian.org (full text, mbox):

From: Robert Millan <rmh@aybabtu.com>
To: Brian May <brian@microcomaustralia.com.au>
Cc: Luk Claes <luk@debian.org>, 480478@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Date: Mon, 23 Jun 2008 10:25:10 +0200
On Mon, Jun 23, 2008 at 11:39:36AM +1000, Brian May wrote:
> Luk Claes wrote:
> >apt-get install debian-backports-keyring
> >
> >or
> >
> >gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C
> >gpg --export | apt-key add -
> >  
> This involves 3 separate commands, and modifies files under 
> /root/.gnupg/ at the same time. Seems overly complicated, especially for 
> non-technical people. Would it be possible to simplify this?

The problem is not simplifiing the process, but finding one that is not flawed
and actually provides security.

This ITP is not about making it simpler.

-- 
Robert Millan

<GPLv2> I know my rights; I want my phone call!
<DRM> What good is a phone call… if you are unable to speak?
(as seen on /.)




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#480478; Package wnpp. Full text and rfc822 format available.

Message #91 received at 480478@bugs.debian.org (full text, mbox):

From: Robert Millan <rmh@aybabtu.com>
To: debian-devel@lists.debian.org, 480478@bugs.debian.org
Subject: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Date: Mon, 23 Jun 2008 18:05:28 +0200
On Sun, Jun 22, 2008 at 01:08:30PM -0500, Adam Majer wrote:
> 
> Certainly, the backports.org keyring is useful to some people, *but* it is,
> 
>   1. not free software

I don't think there's a legal basis to claim copyright on a blob of random
bytes generated by a program.  Who's the copyright holder?  gpg?  The authors
of gpg?  The person who typed gpg in command-line?  The entropy source?

-- 
Robert Millan

<GPLv2> I know my rights; I want my phone call!
<DRM> What good is a phone call… if you are unable to speak?
(as seen on /.)




Tags added: pending Request was from Anibal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Fri, 27 Jun 2008 20:06:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#480478; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. Full text and rfc822 format available.

Message #98 received at 480478@bugs.debian.org (full text, mbox):

From: Holger Levsen <holger@layer-acht.org>
To: debian-devel@lists.debian.org
Cc: 480478@bugs.debian.org
Subject: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Date: Sat, 28 Jun 2008 02:48:15 +0200
[Message part 1 (text/plain, inline)]
Hi,

while I'm actually in favor of adding this package because it makes it a lot
easier to obtain a trustpath to the backports.org repo, which is important
to our users, it's not true that there isnt a documented trusted path to 
install the key.

It's documented here: http://wiki.debian.org/DebianEdu/Documentation/Etch/HowTo/Administration#head-136bb7e75e07e8b6463e6b30761ac51776c5c27d

# add backports.org repo to /etc/apt/sources.list
echo "deb http://www.backports.org/debian etch-backports main contrib non-free" >> /etc/apt/sources.list
# install the debian-keyring securily:
aptitude install debian-keyring
# fetch the backports.org key insecurily:
gpg --keyserver pgpkeys.pca.dfn.de --recv-keys 16BA136C
# check securily if the key is correct and add it to root's keyring if it is:
gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs 16BA136C && gpg --export 16BA136C | apt-key add -
# update the list of available packages:
aptitude update

But it's really quite complicated and a lot to type :)

So I would definitly prefer a package, optionally with a low-priority debconf
question (for preseeding mostly) to also edit to sources.list :-)


regards,
	Holger
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#480478; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. Full text and rfc822 format available.

Message #103 received at 480478@bugs.debian.org (full text, mbox):

From: Holger Levsen <holger@layer-acht.org>
To: debian-devel@lists.debian.org
Cc: 480478@bugs.debian.org
Subject: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Date: Sat, 28 Jun 2008 04:20:37 +0200
[Message part 1 (text/plain, inline)]
On Saturday 28 June 2008 02:48, Holger Levsen wrote:
> It's documented here:
> 
http://wiki.debian.org/DebianEdu/Documentation/Etch/HowTo/Administration#head-136bb7e75e07e8b6463e6b30761ac51776c5c27d

now also with the correct order of commands :-)


regards,
	Holger (see, it ain't easy :-D
[Message part 2 (application/pgp-signature, inline)]

Owner recorded as Robert Millan <rmh@aybabtu.com>. Request was from Raphael Geissert <atomo64@gmail.com> to control@bugs.debian.org. (Fri, 14 Nov 2008 01:21:54 GMT) Full text and rfc822 format available.

Tags removed: pending Request was from Raphael Geissert <atomo64@gmail.com> to control@bugs.debian.org. (Sun, 07 Dec 2008 06:27:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Robert Millan <rmh@aybabtu.com>:
Bug#480478; Package wnpp. (Tue, 25 May 2010 17:23:27 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lucas Nussbaum <lucas@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Robert Millan <rmh@aybabtu.com>. (Tue, 25 May 2010 17:23:27 GMT) Full text and rfc822 format available.

Message #112 received at 480478@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@debian.org>
To: 480478@bugs.debian.org
Cc: control@bugs.debian.org
Subject: debian-backports-keyring: changing back from ITP to RFP
Date: Tue, 25 May 2010 17:06:13 +0000
retitle 480478 RFP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
noowner 480478
thanks

Hi,

This is an automatic email to change the status of debian-backports-keyring back from ITP
(Intent to Package) to RFP (Request for Package), because this bug hasn't seen
any activity during the last 12 months.

If you are still interested in adopting debian-backports-keyring, please send a mail to
<control@bugs.debian.org> with:

 retitle 480478 ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
 owner 480478 !
 thanks

However, it is not recommended to keep ITP for a long time without acting on
the package, as it might cause other prospective maintainers to refrain from
packaging that software. It is also a good idea to document your progress on
this ITP from time to time, by mailing <480478@bugs.debian.org>.

Thank you for your interest in Debian,
-- 
Lucas, for the QA team <debian-qa@lists.debian.org>




Changed Bug title to 'RFP: debian-backports-keyring -- GnuPG archive key of the backports.org repository' from 'ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository' Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Tue, 25 May 2010 17:28:06 GMT) Full text and rfc822 format available.

Removed annotation that Bug was owned by Robert Millan <rmh@aybabtu.com>. Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Tue, 25 May 2010 17:28:06 GMT) Full text and rfc822 format available.

Reply sent to Gerfried Fuchs <rhonda@deb.at>:
You have taken responsibility. (Mon, 06 Sep 2010 10:09:06 GMT) Full text and rfc822 format available.

Notification sent to Robert Millan <rmh@aybabtu.com>:
Bug acknowledged by developer. (Mon, 06 Sep 2010 10:09:06 GMT) Full text and rfc822 format available.

Message #121 received at 480478-done@bugs.debian.org (full text, mbox):

From: Gerfried Fuchs <rhonda@deb.at>
To: Robert Millan <rmh@aybabtu.com>, 480478-done@bugs.debian.org
Subject: Re: Bug#480478: trust chain is broken; please get this in lenny
Date: Mon, 6 Sep 2010 12:08:07 +0200
	Hi!

* Robert Millan <rmh@aybabtu.com> [2008-05-10 13:06:21 CEST]:
> Well, to the point.  The fact that the package providing a key to validate
> packages from bpo is itself a bpo package, kinda defeats the point.  It's
> only useful to shut up APT warnings AFAICS.
> 
> Please, consider uploading this to sid, so that it is included in lenny and
> a complete trust chain from lenny to bpo can be used.

 Not needed anymore since yesterday:

#v+
Additionally the archive is now signed by the standard ftpmaster signing
key, currently the Lenny key.
#v-
<http://lists.debian.org/debian-devel-announce/2010/09/msg00002.html>

 Please note that for a short transition period apt-get/aptitude update
will complain about an unknown key. This is because for a short
transition time we do double signatures - this can be safely ignored
because the other signature key is known, package installs won't require
any unknown signature anymore.


 Thanks for your patience!
Rhonda
-- 
"Lediglich 11 Prozent der Arbeitgeber sind der Meinung, dass jeder
Mensch auch ein Privatleben haben sollte."
        -- http://www.karriere.at/artikel/884/




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 05 Oct 2010 07:39:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 21:06:38 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.