Re: Magnus Hagander 2012-11-18 <CABUevExbHLugeMJ_jd14s=CnErwxvKw=bMwyoOPBF2-5Xq0GVw@mail.gmail.com>
> > Feedback is welcome - I'm still pondering which of "pinning" and
> > "sources list entry" should be part of the package, and what to use as
> > defaults there for the debconf questions. The current plan would be to
> > add a pinning question, but default to "no" (principle of least
> > surprise for the casual user).
>
> I still argue that the default should be "yes", with the exact same
> argument about principle of least surprise :)
>
> But that could be because I misunderstand the actual question?
Nah, it is the same discussion as we had at my place. I'm kind of
included to get the pgdg-keyring package included in Debian itself, so
we have an easy trust path. In Debian, the question of "prefer pgdg"
defaults might be different, but we certainly don't want to maintain
two versions of the same package, just with different defaults.
I'll keep thinking about it :)
> But surely the system must cope with keys being installed more than
> once? More interesting is really what happens if you have two copies
> of the key - and only one of them is renewsed for exmaple..
That's the actual question. If we provide a new (renewed) key in the
package, apt (or gpg) must not get confused by the other copy. (The
fix is probably to remove the "manual" key on installation of the
pgdg-keyring package.)
> > [*] Should I rather call that pgdg.gpg?
>
> No, I think that is a good name. It shows it's a key for the apt
> repository specifically. There is a different GPG key used for the yum
> repo, for example.
Well, we are using "pgdg" in lots of other places, so we should
(could?) probably use it here too.
Christoph
--
cb@df7cb.de | http://www.df7cb.de/
