Enhancing cross-distro collaboration via foreign archive keyring availability
Nick Rosbrook
nick.rosbrook at canonical.com
Fri Sep 13 13:07:17 UTC 2024
On Thu, Sep 12, 2024 at 3:32 PM Shengjing Zhu
<shengjing.zhu at canonical.com> wrote:
>
> On Wed, Sep 11, 2024 at 1:12 AM Robie Basak <robie.basak at ubuntu.com> wrote:
> > But if all we're doing is taking the keys from other places and updating
> > them in Ubuntu, validated by some process that ultimately relies on some
> > set of people to assert that the keys are correct, then what are we
> > achieving anyway? Can this not just be automated then, and tooling be
> > provided in the archive instead, so users can just do that directly when
> > they need? Then there would be much reduced burden on maintainence,
> > including for the relevant privileged review teams.
>
> I don't see the problem of putting a slight burden on the review
> teams, if there is a tool/process to update, review and validate the
> content of the keyring.
> If the distro maintainers can save users' burden then why not? In the
> current implementation, users can just update the keyring by running
> `apt update`. It's simple and easy for users.
>
I agree with this point. I think Luca has explained why the current
architecture is appropriate here, and it sounds like the updates to
these packages would be infrequent. So, in my opinion, a pretty
straightforward addition to "Documentation for Special Cases" is all
we need here.
-Nick
More information about the ubuntu-devel
mailing list