[Git-commits] [grml/grml-debian-keyring] 1323d4: move archive keyring out of global trust path

Michael Prokop mika at grml.org
Sat May 26 15:10:11 CEST 2018 

  Branch: refs/heads/mika/wip
  Home:   https://github.com/grml/grml-debian-keyring
  Commit: 1323d48e442a93c81616ec0dd2268427043191be
      https://github.com/grml/grml-debian-keyring/commit/1323d48e442a93c81616ec0dd2268427043191be
  Author: Antoine Beaupré <anarcat at debian.org>
  Date:   2018-02-15 (Thu, 15 Feb 2018)

  Changed paths:
    M debian/install
    A keyrings/grml-archive-keyring.gpg
    R keyrings/grml-archive.gpg

  Log Message:
  -----------
  move archive keyring out of global trust path

The [repository instructions][1] have been changed to avoid writing
third-party keyring files to the global trust anchors (in
`/etc/apt/trusted-gpg.d`) and instead write those to a more neutral
location (`/usr/share/keyrings`, alongside other keyring files).

[1]: https://wiki.debian.org/RepositoryInstructions

The downside of this change is that the key fingerprint isn't
validated directly through this process. But considering that
validation of the key is anchored through HTTPS validation in the
first place, we do not *really* lose anything by moving that to the
`.gpg` file transfer: that file's integrity is still checked through
HTTPS. Furthermore, not storing the explicit fingerprint here will
make future key rotations easier as they will not require
documentation updates.

Note that this change will also require a change in the
`grml-debian-keyring` package to install the keyring file in the new
location. If that package does not install a `.sources` or `.list`
file, that move will also break existing configurations, so a NEWS
entry might be in order as well.

This is related to the [proposed website documentation change][2]

[2]: https://github.com/grml/grml.org/pull/21


  Commit: dabedf8ea75c226b334db2ab460e5254b31f4cff
      https://github.com/grml/grml-debian-keyring/commit/dabedf8ea75c226b334db2ab460e5254b31f4cff
  Author: Michael Prokop <mika at grml.org>
  Date:   2018-05-26 (Sat, 26 May 2018)

  Changed paths:
    M md5sums.txt

  Log Message:
  -----------
  Update md5sums.txt for new filename of keyring file


  Commit: 96a52dfc1bf250d569e050cdc69b1b8ea4cf7dff
      https://github.com/grml/grml-debian-keyring/commit/96a52dfc1bf250d569e050cdc69b1b8ea4cf7dff
  Author: Michael Prokop <mika at grml.org>
  Date:   2018-05-26 (Sat, 26 May 2018)

  Changed paths:
    M debian/control

  Log Message:
  -----------
  Bump Standards-Version to 4.1.4


  Commit: 6690dd7749dcbc68e4a227c84a816b108be9a9d4
      https://github.com/grml/grml-debian-keyring/commit/6690dd7749dcbc68e4a227c84a816b108be9a9d4
  Author: Michael Prokop <mika at grml.org>
  Date:   2018-05-26 (Sat, 26 May 2018)

  Changed paths:
    M debian/control

  Log Message:
  -----------
  Build-Depend on debhelper >= 9~


  Commit: 3b4d20b2ae382262c8c682cd45f79516fb28a216
      https://github.com/grml/grml-debian-keyring/commit/3b4d20b2ae382262c8c682cd45f79516fb28a216
  Author: Michael Prokop <mika at grml.org>
  Date:   2018-05-26 (Sat, 26 May 2018)

  Changed paths:
    M debian/compat

  Log Message:
  -----------
  Bump debian/compat to 9


  Commit: 9f14a657b3ee0a3316f0829100b6381299d96010
      https://github.com/grml/grml-debian-keyring/commit/9f14a657b3ee0a3316f0829100b6381299d96010
  Author: Michael Prokop <mika at grml.org>
  Date:   2018-05-26 (Sat, 26 May 2018)

  Changed paths:
    A debian/grml-debian-keyring.postinst

  Log Message:
  -----------
  Provide postinst script for support of older Debian releases

The `deb [signed-by=/usr/share/keyrings/....gpg]` approach for *.list
or `Signed-By: /usr/share/keyrings/*.gpg` approach for *.sources
respectively are supported only on Debian/stretch and newer.

To avoid breaking Debian wheezy + jessie installations which
use the grml-debian-keyring package and the Grml repository
we install a symlink /etc/apt/trusted.gpg.d/grml-archive-keyring.gpg
which points to /usr/share/keyrings/grml-archive-keyring.gpg.


  Commit: bdc8bae349bdf360d1aac84e98ce57f24a03bb7d
      https://github.com/grml/grml-debian-keyring/commit/bdc8bae349bdf360d1aac84e98ce57f24a03bb7d
  Author: Michael Prokop <mika at grml.org>
  Date:   2018-05-26 (Sat, 26 May 2018)

  Changed paths:
    A debian/NEWS

  Log Message:
  -----------
  Provide debian/NEWS for recent changes with new package version


  Commit: 7709828e4e05802c32a123a07e1e6d38078977df
      https://github.com/grml/grml-debian-keyring/commit/7709828e4e05802c32a123a07e1e6d38078977df
  Author: Michael Prokop <mika at grml.org>
  Date:   2018-05-26 (Sat, 26 May 2018)

  Changed paths:
    M debian/changelog

  Log Message:
  -----------
  PREPARE: Release new version 2018.05.26


Compare: https://github.com/grml/grml-debian-keyring/compare/1323d48e442a^...7709828e4e05
      **NOTE:** This service been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/

      Functionality will be removed from GitHub.com on January 31st, 2019.

More information about the Git-commits mailing list