Re: pgdg-keyring

On Sun, Nov 18, 2012 at 4:39 PM, Christoph Berg <cb(at)df7cb(dot)de> wrote:
> Re: Magnus Hagander 2012-11-18 <CABUevExbHLugeMJ_jd14s=CnErwxvKw=bMwyoOPBF2-5Xq0GVw(at)mail(dot)gmail(dot)com>
>> > Feedback is welcome - I'm still pondering which of "pinning" and
>> > "sources list entry" should be part of the package, and what to use as
>> > defaults there for the debconf questions. The current plan would be to
>> > add a pinning question, but default to "no" (principle of least
>> > surprise for the casual user).
>>
>> I still argue that the default should be "yes", with the exact same
>> argument about principle of least surprise :)
>>
>> But that could be because I misunderstand the actual question?
>
> Nah, it is the same discussion as we had at my place. I'm kind of
> included to get the pgdg-keyring package included in Debian itself, so
> we have an easy trust path. In Debian, the question of "prefer pgdg"
> defaults might be different, but we certainly don't want to maintain
> two versions of the same package, just with different defaults.
>
> I'll keep thinking about it :)

Aha. I can see it being a more controversial thing to do if you want
to push it into Debian itself.

Speaking of which, is the name pgdg-keyring really the right one? If
it *only* adds the key to the keyring it seems correct, but if it also
adds a repository to your server it seems like a bad name for the
package?

>> But surely the system must cope with keys being installed more than
>> once? More interesting is really what happens if you have two copies
>> of the key - and only one of them is renewsed for exmaple..
>
> That's the actual question. If we provide a new (renewed) key in the
> package, apt (or gpg) must not get confused by the other copy. (The
> fix is probably to remove the "manual" key on installation of the
> pgdg-keyring package.)

Yeah, unless it's smart enough to recognize which key is valid and
only use that one.

As you say, some testing is probably required :)

>> > [*] Should I rather call that pgdg.gpg?
>>
>> No, I think that is a good name. It shows it's a key for the apt
>> repository specifically. There is a different GPG key used for the yum
>> repo, for example.
>
> Well, we are using "pgdg" in lots of other places, so we should
> (could?) probably use it here too.

We could. But I think calling it apt.postgresql.org.gpg is more clear :)

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/