debsuryorg-archive-keyring

Malcolm Scott Malcolm.Scott at cl.cam.ac.uk
Thu Feb 13 16:17:56 UTC 2025 

Hi Ondřej,

That's a fair point; I am indeed trusting you anyway by installing your 
packages :-)

I mainly noticed this because I am temporarily building my own patched 
version of your package with a workaround for the SIG(0) key limit problem I 
reported some months back [1], and realised that if I used your sources, I'd 
have to ship debsuryorg-archive-keyring in my own PPA too.

Thanks,

Malcolm

[1] https://gitlab.isc.org/isc-projects/bind9/-/issues/5050


On Thu, 13 Feb 2025, Ondřej Surý wrote:

> Hi Malcolm,
>
> if you trust me to produce BIND 9 code directly from the upstream,
> I guess that trust can be transitioned to the packaging repositories.
>
> The packaging is created in a way that makes it easy to create
> packages for both Ubuntu and Debian in the same way.
>
> I'll add some text to the KB, thanks for raising the issue here.
>
> Ondřej
> P.S.: However, you are right that for Ubuntu PPAs there could be just
> a dummy package with no keys and that would make it little less
> confusing. The package is setup like this intentionally for now
> and it will get gradually upgraded to the signed-by method as the
> distributions supporting that will get deprecated. As of now, the
> change you mentioned will be included in Debian Trixie that hasn't
> been released yet, and there's too many installations that still use
> the old method
> --
> Ondřej Surý (He/Him)
> ondrej at isc.org
>
> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
>
>> On 13. 2. 2025, at 16:57, Malcolm Scott via bind-users <bind-users at lists.isc.org> wrote:
>>
>> Hi all,
>>
>> With apologies if this is a FAQ: why do the ISC BIND packages for Ubuntu, linked from https://kb.isc.org/docs/isc-packages-for-bind-9 and published at https://launchpad.net/~isc/+archive/ubuntu/bind, depend on debsuryorg-archive-keyring?  That package makes Apt trust a key for an entirely different Apt repository, not used (as far as I can tell) by the Launchpad PPA at all.  (Also it installs the key into /etc/apt/trusted.gpg.d, which is considered insecure and deprecated [1].)
>>
>> $ apt-key list
>> (...)
>> /etc/apt/trusted.gpg.d/debsuryorg-archive.gpg
>> ---------------------------------------------
>> pub   rsa3072 2019-03-18 [SC] [expires: 2026-02-04]
>>      1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
>> uid           [ unknown] DEB.SURY.ORG Automatic Signing Key <deb at sury.org>
>> sub   rsa3072 2019-03-18 [E] [expires: 2026-02-04]
>> (...)
>>
>> (Or should I treat deb.sury.org, rather than the Launchpad PPA, as the official repository for these packages?)
>>
>> Malcolm
>>
>>
>> [1] https://salsa.debian.org/apt-team/apt/-/raw/2.9.24/debian/NEWS
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
>

More information about the bind-users mailing list