search

yarnpkg / yarn

The 1.x line is frozen - features and bugfixes now happen on https://github.com/yarnpkg/berry
https://classic.yarnpkg.com
Other
41.4k stars 2.72k forks source link

dl.yarnpkg.com: Provide GPG key as separate package via APT repository #7153

Open r4co0n opened 5 years ago

r4co0n commented 5 years ago

This is not regarding a particular branch of Yarn, but the APT packages provided by you via https://dl.yarnpkg.com/debian .

Recently, the GPG key used to sign to Yarn APT packages was changed, because the old key in use would have expired soon. This made many people following the official installation documentation for installation on Debian-based distributions suddenly getting an error when running apt-get update, a task that is automated at many places, as far as I know Ubuntu ships with a mechanism that triggers the related error unattendedly out-of-the-box. Many related bugs were reported and rightly closed, I followed #6885 .

This would not be a problem at all if the team responsible for packaging the Yarn APT packages decided on also shipping the GPG key used to sign the repository, via a DEB package, as the overwhelming majority of well-known APT repositories have done for quite some time.

Please have a look at debian-archive-keyring's debian folder to see how this is done upstream.

This bug report wants to request a packaging change for APT, resulting in an additional package being shipped, containing all trusted APT GPG keys. Allowing a transition period, this will make everyone be able to continue to use the official repository without further manual intervention.

If you want help having any of this explained or need help getting a demo of this to work reliably, I am looking forward to your requests and will do my best to welcome anyone following up.

arcanis commented 5 years ago

Thanks for the suggestion!

Ping @Daniel15?

Daniel15 commented 5 years ago

This is a good idea! I saw it discussed in #6885, thanks for creating a separate issue to track it. I'll try to get to it some time.

as the overwhelming majority of well-known APT repositories have done for quite some time.

Do most repositories do this? Just recently I had to manually update the key for one of the ones I use (can't remember which one, unfortunately) so it seems like some of them still do it manually.

r4co0n commented 5 years ago

Upon doing some digging, it seems I was kind of bold. I only found packager.io right now, but it feels I'm missing something obvious. Google seems to have switched to packager.io for most of their packaging, but they still don't ship Chrome with a key package. Vagrant and UniFi repositories are also apparently unaware of this easy step. What I got (I may update if I find more):