Here’s something I don’t get: why is there a trusted “2012 CD signing key” on my Ubuntu 24.04 machines, when there is also a “2018” signing key? Shouldn’t this be a transition that could have completed within five years? Shouldn’t we be able to tie the 2012 key to a specific repository set, instead of all packages? The latter includes PPAs and I really wish neither of those CD signing keys were valid for that purpose.
The cryptographic domains should be separated:
- One CD signing key, tied to the CD/DVD packages
- One online release signing key, tied to the Ubuntu main/security sources
- One key per PPA, tied to that PPA
Deprecating globally-trusted keys for PPAs is a good step, but the globally-trusted release keys (especially ones that are over a decade old) should be cleaned out immediately as well.
Semi-related pro tip: extrepo
Many packages are supported in extrepo, which handles the keys for you. There is no need for arcane gpg
format-conversion commands, no worrying about whether it goes into /usr (incorrect under Unix philosophy,
but widely recommended) or /etc, no manually editing sources files, and especially no cursed curl | bash
invocation.
$ sudo apt install extrepo
And then you can do stuff like:
$ extrepo search github
$ sudo extrepo enable github-cli
$ sudo apt install --update gh
This is especially useful for upstreams that distribute an official deb package, outside of PPAs. I aim to get the code from as close to the source as possible, where the distro itself doesn’t suit my needs.
No comments:
Post a Comment