debsuryorg-archive-keyring
Ondřej Surý
ondrej at isc.org
Thu Feb 13 16:08:06 UTC 2025
Hi Malcolm,
if you trust me to produce BIND 9 code directly from the upstream,
I guess that trust can be transitioned to the packaging repositories.
The packaging is created in a way that makes it easy to create
packages for both Ubuntu and Debian in the same way.
I'll add some text to the KB, thanks for raising the issue here.
Ondřej
P.S.: However, you are right that for Ubuntu PPAs there could be just
a dummy package with no keys and that would make it little less
confusing. The package is setup like this intentionally for now
and it will get gradually upgraded to the signed-by method as the
distributions supporting that will get deprecated. As of now, the
change you mentioned will be included in Debian Trixie that hasn't
been released yet, and there's too many installations that still use
the old method
--
Ondřej Surý (He/Him)
ondrej at isc.org
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
> On 13. 2. 2025, at 16:57, Malcolm Scott via bind-users <bind-users at lists.isc.org> wrote:
>
> Hi all,
>
> With apologies if this is a FAQ: why do the ISC BIND packages for Ubuntu, linked from https://kb.isc.org/docs/isc-packages-for-bind-9 and published at https://launchpad.net/~isc/+archive/ubuntu/bind, depend on debsuryorg-archive-keyring? That package makes Apt trust a key for an entirely different Apt repository, not used (as far as I can tell) by the Launchpad PPA at all. (Also it installs the key into /etc/apt/trusted.gpg.d, which is considered insecure and deprecated [1].)
>
> $ apt-key list
> (...)
> /etc/apt/trusted.gpg.d/debsuryorg-archive.gpg
> ---------------------------------------------
> pub rsa3072 2019-03-18 [SC] [expires: 2026-02-04]
> 1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743
> uid [ unknown] DEB.SURY.ORG Automatic Signing Key <deb at sury.org>
> sub rsa3072 2019-03-18 [E] [expires: 2026-02-04]
> (...)
>
> (Or should I treat deb.sury.org, rather than the Launchpad PPA, as the official repository for these packages?)
>
> Malcolm
>
>
> [1] https://salsa.debian.org/apt-team/apt/-/raw/2.9.24/debian/NEWS
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250213/e1d02ce6/attachment.sig>
More information about the bind-users
mailing list