[Pkg-matrix-maintainers] ITP: matrix-archive-keyring -- OpenPGP archive key for the Matrix.org package repository

Linda Lapinlampi linda at lindalap.fi
Tue Feb 12 17:51:39 GMT 2019 

Package: wnpp
Severity: wishlist
Owner: Linda Lapinlampi <linda at lindalap.fi>

* Package name    : matrix-archive-keyring
  Version         : 2015.12.09
  Upstream Author : The Matrix.org Foundation CIC <packages at matrix.org>
* URL             : https://matrix.org/packages/debian/repo-key.asc
* License         : GPLv3+ (key: public domain)
  Programming Lang: Make, sh
  Description     : OpenPGP archive key for the Matrix.org package repository

The Matrix.org Debian package repository distributes digitally signed
releases of Matrix.org related packages. This package contains the
archive key used to verify those files, required by apt(8).

matrix-archive-keyring will also attempt to harden the apt-secure(8)
infrastructure by removing known previously installed (untrusted)
Matrix.org archive key(s) from apt(8)'s global trust database, which
have often been erroneously added via apt-key(8).

----

Hi, so there's few packages in Debian already such as matrix-synapse.
[1] And then there's Debian packages from third-party Matrix.org and
Riot.im package repositories at upstream.

The issue: Signing keys added to /etc/apt/trusted.gpg{,.d} will be
trusted by apt(8) for every repository, including Debian's main package
repository.

I'm currently seeing a "trend" on the Internet where tutorials and
guides suggest to use "apt-key add" to install Matrix.org's package
repository archive key recklessly without any regard to apt-secure(8).
More so, Matrix.org links to one of these guides itself. [2] Riot.im
(related to the same people running Matrix.org) also suggests "apt-key
add". [3] Synapse 0.99.0's `INSTALL.md` guide suggests to download a key
and add it via apt-key(8) too, [4] while this package is also available
from Debian.

The solution: A keyring package, as suggested by apt-secure(8).

If the sysadmin wants to install from Matrix.org or Riot.im package
repositories (instead of Debian's), fine. Who am I to argue? At least I
I can make their life more convenient while hardening APT's security for
everyone, while Debian doesn't have packages available for every
upstream package yet.

I have made this package install an OpenPGP-armored keyring to
/usr/share/keyrings (instead of /etc/apt/trusted.gpg.d); I'm also using
a db_install(8) postinst script to ensure that the keys in question
don't show up in two keyrings at once.

I will be also looking to configure debconf(1) to ask if the user also
wants to install the appropriate sources.list(5) file for the Matrix.org
and/or Riot.im repository with signed-by option.

Packages similar to this one exist in Debian: ubuntu-keyring,
leap-archive-keyring, pkg-mozilla-archive-keyring, etc.

I will be looking for a sponsor. I know someone from the Matrix
Packaging Team at Debian whom I'll be asking to kindly sponsor this
package. If they refuse, I know where to ask.

Thanks for your attention.

[1]: https://wiki.debian.org/Matrix
[2]: https://matrix.org/docs/guides/installing-synapse
[3]: https://riot.im/desktop.html
[4]: https://github.com/matrix-org/synapse/blob/release-v0.99.0/INSTALL.md

More information about the Pkg-matrix-maintainers mailing list