Open JackWilb opened 4 years ago
I'm really sorry about the Yarn key... I've been meaning to create a keyring package and stick it in the Yarn Debian repo but it's fairly low on my list of priorities. Nobody in the Debian/Ubuntu community has given any guidance on how to do so, and I haven't had time to research it myself.
Hi @Daniel15! Thanks for your note.
For now we've used the workaround you mentioned in the issue, but I'm concerned about deployment reproducibility going forward. The strategy you outlined in this comment sounds good to me, but I'm also not an expert in packaging issues.
Thanks again!
We recently had a build failure due to an expired GPG for yarn. here is the associated issue.
This may continue to happen for packages that don't come with a companion -keyring package that keeps the keys up to date. The best step would be to include a build step that makes sure apt has the most up to date version of the keys.