| 11 Feb 2019 |
 shirish | this is the debian/watch for kalarm https://salsa.debian.org/qt-kde-team/kde/kalarm/blob/master/debian/watch | 06:36:32 |
| shirish | there is a watch file here https://salsa.debian.org/matrix-team/matrix-synapse/blob/debian/master/debian/watch | 06:39:18 |
| shirish | but for some reason it isn't giving if an update is available or not. | 06:39:39 |
 Linda | knows | 12:11:09 |
| Linda | andrewsh: Would you sponsor my package matrix-archive-keyring probably tomorrow? It's the matrix.org package archive key (repo-key.asc). | 23:19:28 |
| 12 Feb 2019 |
|  Maximus joined the room. | 01:34:07 |
| Maximus | Linda: Could it be possible to have an "Explain like I'm 5" description of the issue for people that I maintain their synapse server for? I'm not sure to fully understand the issue myself even after reading your detailed (thank you!) explaination in TWIM and I doubt I can relay the issue upstream. Also, is there an issue or something I can upvote to show my support? | 01:36:39 |
| Linda | ELI5: Matrix.org package signing key can be used to verify any packages from anywhere, and the only trust to that signing key from Matrix.org is HTTPS:// (essentially, Let's Encrypt). No fingerprints, nothing.
matrix-archive-keyring will be available from Debian.org (hopefully!), so it will also be signed by Debian developers. Hardening things.
| 01:38:25 |
| Linda | Is that good enough? | 01:38:29 |
| Linda | I'm changing it so that it can only be used to verify packages from matrix.org only. | 01:39:11 |
| Maximus | Yep, that's good enough for me, thank you! I didn't realise the signing key wasn't restricted to only the matrix.org repo | 01:39:51 |
| Maximus | And I'm guessing signing keys are usually restricted to specific repos/packages, right? The way the key is added seems very familiar to me and it feels like other projects do the same thing (unless I totally misundertood) | 01:41:03 |
| Linda | Keyrings in /usr/share/keyring can be used with apt(8) by adding Signed-by: /usr/share/keyrings/foo.gpg to the appropriate /etc/apt/sources.list.d/foo.list file, restricted by URI: https://foo.example/debian/. | 01:44:03 |
| Linda | The ones from /etc/apt/trusted.gpg{,.d} are trusted by apt(8) globally. | 01:44:40 |
| Linda | See: https://wiki.debian.org/DebianRepository/UseThirdParty | 01:44:47 |
| Linda | Debian archives are signed with debian-archive-keyring, leap.se packages with leap-archive-keyring, etc. | 01:46:57 |
| Maximus | Linda: thank you for the info, problem understood | 01:55:50 |
| Maximus | and thank you for putting together the package | 01:56:29 |
| Linda | 😊 | 01:56:42 |
| Maximus | I'll try it out tomorrow and let you know if nothing breaks on my setup | 01:57:02 |
| Linda | Maximus: Btw, there's no issue on GitHub. It's meta, nothing is really close to the issue. (Perhaps vector-im/riot-meta or matrix-org/matrix.org or matrix-org/matrid-doc?) | 02:00:20 |
| Linda | It's difficult to get patches reviewed anyway without using silos like GitHub; I'm so enthusiastic about distributed communications like email and Matrix. Debian's BTS is all hacked on top of email. | 02:00:42 |
| Maximus | Linda: I think your best bet would be https://github.com/matrix-org/package-synapse-debian at the moment | 02:01:03 |
| Linda | It affects all packages from Matrix.org and Riot.im though. 😛
Quite well known at #synapse-dev:matrix.org, though. | 02:01:42 |
| Maximus | it doesn't cover all the packages, but it has the merit to be about debian packages | 02:01:55 |
| Maximus | I agree there is no good repo for this | 02:02:00 |
| Maximus | my mad mind would just advise to open an issue on all the repos..... but I don't think that would be a good advise ;) | 02:02:27 |
| Linda | advice* | 02:02:55 |
| Linda | advising a person
giving advice | 02:03:05 |
| * Maximus puts on his native french accent | 02:03:41 |
