Details
-
Improvement
-
Resolution: Unresolved
-
Major
-
None
-
3.0.0
-
None
Description
Sometimes it's useful to limit access to a debian repository via an ssh tunnel or other technique. In these cases the gpg signing of the apt repo is unnecessary and in some ways reduces security. Adding an apt key means the computer will trust that gpg key for any sources. This means a compromised gpg key does not necessarily only affect the security of one apt source on a given system.
I can't find a way to make apt ignore the gpg key, even though I can trivially make apt accept an unsigned repo. As far as I can tell the only solution without changes somewhere is to carefully manage a gpg private key I don't even really want to have in the first place.