❦ 1 octobre 2013 20:30 CEST, Jimmy Kaplowitz <jkaplowitz@google.com> : > Quick advice-seeking email from me: > > Google recently started signing the apt repository from which we serve > certain packages used in the Google Compute Engine image build process > (google-startup-scripts, google-compute-daemon, image-bundle, and recently > also gcutil). > > We do want to get these packages into Debian where appropriate so that the > bulid can pull solely from the Debian archive, but adding an unknown GPG > signature broke our current build. Doh! Thank you, Murphy's Law. :) > > I think the best short-term way to allow properly authenticated builds is > to put the Google apt repository's public key somewhere in the github tree, > apt-key add it before we pull in our repository, but be sure to apt-key > remove it when we remove our repository. > > Does this sound sensible? Yes. I would put the key under a Google HTTPS controlled domain (for example, on the same server hosting the APT repository if it is also able to serve it with HTTPS). This would match what is done by most third-party repositories. -- /* Identify the flock of penguins. */ 2.2.16 /usr/src/linux/arch/alpha/kernel/setup.c
Attachment:
signature.asc
Description: PGP signature