alternative update mechanism
IRC discussion happened today:
11:32 < wouter> weasel: also, if this takes off and there are no major blockers,
long-term I'd like to move the signing key for extrepo to DSA
infrastructure (currently it's on a VM on my server, seperate
from everything else, but that's not a good long-term strategy...)
11:32 < wouter> weasel: what do you think the best way to do that would be?
11:33 < Myon> ansgar: but that comment isn't about the software
11:33 < weasel> wouter: why does it need an extra signing key?
11:34 < weasel> it's a package, isn't it?
11:34 < wouter> weasel: it downloads the repository metadata for the external
repositories from pages.debian.net -- that metadata is signed
11:34 < weasel> ah, it doesn't ship the metadata?
11:34 < wouter> that would defeat the purpose :-)
11:34 < weasel> why?
11:35 < weasel> it's how debian ships stuff.
11:35 < wouter> the whole point is to support third-party repositories that might
be updated or changed post-release
11:35 < ansgar> Myon: "aud their communities". Of course we can just agree that
"sysvinit supporters betray the idea of free software" is okay ;-)
11:35 < weasel> we have point releases.
11:36 < wouter> weasel: I kindof see this as in the same vein as Ubuntu's PPAs
11:36 < weasel> I'm not thrilled about supporting anything like that with my DSA
hat on. seems like something that needs to be resolved for all the
"data that needs more frequent updates" things with -release and
ftp-master
11:36 < wouter> (a bit less open, though, hence the vetting process first)
11:37 < wouter> weasel: okay, so then I guess the way forward would be "talk to
DSA and the wider community first" ;-)
11:37 < ansgar> wouter: Debian and private key material is not that great. We
don't really have infrastructure to add arbitrary keys on secure
storage.
11:37 < ansgar> wouter: Way too much stuff (e.g. buildds) just store them as files
which isn't great :/ (Not blaming DSA, hardware tokens are not
really joy to use.)
11:37 < wouter> (and if the result ends up being "ship the metadata, don't
download it", then I can update things like that easily enough)
11:37 < weasel> this not just being a "normal" package seems like a huge downside
to me.
11:38 < weasel> "ship the metadata" would be my choice.
11:39 < wouter> weasel: I hear you, but I respectfully disagree. If it turns out
I'm the only one with that opinion, then I'll update things, but
not just yet.
11:39 < weasel> :)
11:39 < kibi> wouter: ok, we're drafting the gr
11:40 < wouter> weasel: the idea is to have the gitlabs and teamviewers and skypes
of this world replace their "please download this random unsigned
script and run it as root" by "please install extrepo and run
'extrepo enable <our repository>'"
11:40 < wouter> weasel: if that means they'd have to wait for the next point
release before they can do that, I suspect it won't be very popular,
and then that won't succeed
11:40 < ansgar> wouter: We have -updates.
11:40 < wouter> (and yes, I'm aware that won't happen from day one)
11:40 < weasel> it's the "I'm coming up with another authentication chain and all
the infrastructure that comes with it and that only is usable for
this one thing" thing I'm strongly opposed to and want no part of.
11:41 < wouter> weasel: okay, that is certainly fair enough
11:42 < Myon> maybe you could ship the data, *and* have it online
11:42 < weasel> it means the package effectively is not NMUable, for instance.
11:42 < weasel> or rather, the package is, but that's useless because it's just a
downloader. or a meta downloader even
11:42 < ansgar> weasel: That's true for a few other packages already (some
firmware (yes), shim). Though not great.
11:42 < weasel> ansgar: yes. we don't need more of that kind
11:43 < weasel> at least we should think very. hard. if it's needed in this case.
11:43 < wouter> weasel: what I care about is having a way to tell a third party
"your repository is now active for everyone, immediately". I came
up with this system, and that works, but I get your pointEdited by Wouter Verhelst