VideoLAN APT Signing Key
Nicola Chiapolini
nicola.chiapolini at bluewin.ch
Tue Jan 14 15:20:40 UTC 2014
Hi Jonas
Thanks for your answer. I guess there was a small misunderstanding.
> > *) create an official, signed package with the key (I guess there
> > are no legal problems preventing debian from distributing this key.)
> > If possible, the package could even include a file
> > /etc/apt/sources.list.d/videolan.list
> > with the relevant lines. (However I fear, that here some legal
> > subitlities might be important; but IANAL)
> [...]
> Your second proposed option is less realistic: In Debian we distribute
> (and then sign) only code that we have compiled outselves from source
> - not binary code prepared by others (except some non-free parts, but
> let's not go there).
My mail concerns libdvdcss that can (AFAIK) not be distributed within
Debian. Now the nice people form VLC host the relevant Debian package in
their own Debian repository [1]. Adding this repository to sources.list
is no problem. However I need to trust some "random" key from the web to
use it. (So far I just pinned the repository at a priority of -10 to
reduce the potential for damage.)
[1] http://www.videolan.org/developers/libdvdcss.html
Now my idea was that Debian could offer a package containing no binary
software but only two files:
*) /etc/apt/sources.list.d/videolan.list
containing:
deb http://download.videolan.org/pub/debian/stable/ /
deb-src http://download.videolan.org/pub/debian/stable/ /
*) videolan-apt.asc
The key, transfered on a trusted path from the VideoLan Developers to
Debian and apt-key added when the package is installed.
This way Debian would not distribute libdvdcss but a user would have a
comfortable and secure way of obtaining the library (as I said, I am not
a lawyer, so a lawyer might disagree here). Hope this makes my idea a
bit more clear.
However if Reinhard is correct and there will be a sustainable solution
for Jessie, it's probably not worth the hassle.
Again, thanks for your great work to all of you
Nicola
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20140114/e3df8362/attachment.sig>
More information about the pkg-multimedia-maintainers
mailing list