VideoLAN APT Signing Key

Jonas Smedegaard dr at jones.dk
Tue Jan 14 11:48:03 UTC 2014 

Hi Nicola,

Quoting Nicola Chiapolini (2014-01-14 10:29:08)
> First of all I want to thank you for your great work.
> 
> As a debian user I just looked into adding 
>   http://download.videolan.org/
> to my sources. This works perfectly, however I am not comfortable 
> adding a key to my trusted keys without the possibility to check its 
> fingerprint.
> 
> So it would be great if you could do one or all of the following:
>   *) add the fingerprint of the key to the web-page
>   *) create an official, signed package with the key (I guess there 
> are no legal problems preventing debian from distributing this key.) 
> If possible, the package could even include a file
>   /etc/apt/sources.list.d/videolan.list
> with the relevant lines. (However I fear, that here some legal 
> subitlities might be important; but IANAL)

Adding ways to ensure the integrity of fetched material is sure good.  
Your suggestion of (signing package releases and) offering the public 
signing key in a separate package is one step towards that.  Another is 
to then serve the (initially, at least) web-downloaded packages from a 
TLS-secured site (i.e. https protocol).

Your second proposed option is less realistic: In Debian we distribute 
(and then sign) only code that we have compiled outselves from source - 
not binary code prepared by others (except some non-free parts, but 
let's not go there).

VideoLAN developers are quite welcome to work directly with Debian e.g. 
by joining the Multimedia Maintainers team, to prepare the packaging in 
Debian to their satisfaction, have it built in Debian, and then serve as 
direct download what was built and signed in Debian.  I imagine, though, 
that they are busy creating VLC itself already, and that's quite 
appreciated as well :-)


Kind regards,

 - Jonas

Debian Developer and member of the Debian Multimedia Maintainers team

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20140114/76c54e22/attachment.sig>

More information about the pkg-multimedia-maintainers mailing list