So, I've been giving this some more thought, and have tried to write a spec, but then found that... On Sat, Jun 13, 2015 at 05:03:15PM +0800, Paul Wise wrote: > https://lists.debian.org/deity/2014/01/msg00055.html ...this (and the discussion following it) actually seems fairly close to what my spec was going to be. I would suggest that the deb822 sources.list format be slightly extended so that: - Apt will try to download it from a default location in the repository (or perhaps a location specified in the deb822 sources.list file itself). - It may be GPG-signed by one or more keys. Apt should have a way of configuring GPG keys that may be allowed to sign sources.list files, preloaded with the set of keys in the Debian keyring. This will allow system administrators in large environments to specify their own set of keys allowed to sign repositories, as well as allowing downstreams to add its own ways of trusting repositories. - It may possibly add a limitation on the packages that can be downloaded from the given repository (so that a package repository cannot suddenly acquire a package "libc6", accidentally or otherwise). This should allow for wildcards (e.g., in my specific situation this field would contain "libbeid*, eid-*, beid-*") - (It would be good if apt also added the ability to limit keys on a per-repository basis, already suggested in the January 2014 discussion but not yet implemented due to missing required infrastructure) We could then also add a field "Default-Install:", ignored by apt but honoured by a handler for the MIME type of sources.list files, that would list a set of packages to install by default when adding this repository. Added together, this would give maintainers of third-party repositories the following: - A trusted path from Debian to their repository; - Insurance (when the sources.list file is signed by multiple keys) against a DD leaving the project, or their key being compromised, or similar; - A way for their users to install the software they're using by clicking on a link (to the sources.list file, passed on to this MIME type handler) which automatically (after appropriate authentication and confirmation) adds the file to sources.list, runs "apt-get update", and installs a default set of packages from this repository. At the same time, it would allow us to limit the possible "damage" third-party repositories can do in several ways: - Limit the keys with which they can sign their repositories; - Limit the packages they can override, very much in the same way we limit DMs today; - If the Pin-Priority: field as proposed by aj is implemented (doesn't appear to be the case today), limit the impact the repository can have. Of course, the above may or may not be appropriate in some cases, so I'm not suggesting we make any of those fields mandatory; it should be up to the DD signing the sources.list configuration file to ensure that the contents of that file is sane and safe. Thoughts? -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26
Attachment:
signature.asc
Description: Digital signature