On Wed, 22 Feb 2012 17:21:45 -0200, Christian Robottom Reis kiko@linaro.org wrote:
Is there a reason why we don't simply preinstall that key in the apt keyring before shipping the filesystem?
It's a good question. I'm going to borrow James W.'s opinion here who will know of any unforseen consequences of it.
There shouldn't be any issues with doing this. Users of the image are trusting Linaro already, so trusting the PPA is just an extension of that.
The image build should insert the key using the long fingerprint though (not the 8 character version) to avoid collision attacks on the build process.
The same goes for pre-seeding the apt litsts: downloading them as linaro-media-create time is worryingly non-deterministic. Really, the releases should be 100% self-contained.
I think the reason we don't pre-seed these is that they take up a lot of space on the downloaded image. Am I wrong?
No, that's right. Usually linaro-media-create doesn't actually need the downloaded files either. Unfortunately there aren't apt APIs to do what it needs to do without downloading all of the files though.
Thanks,
James