Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Debian keyring package #8575

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

paxswill
Copy link

@paxswill paxswill commented Feb 8, 2021

Summary

This adds a script that creates a yarn-archive-keyring Debian package, and adds a Recommends relationship from the yarn package to yarn-archive-keyring. This package installs a drop-in keyring file for APT which can be easily updated as keys are rotated. I've been working with Debian packaging a fair bit recently (and did this exact task for my personal repo), so it was pretty quick.

I have not updated the changelog, as this patch doesn't actually change yarn itself.

Test plan

Right now the script takes a single argument, a key ID to export from gpg. I'm open to suggestions as to how you'd like to do it so it fits in with the rest of your infrastructure. The script also checks for a VERSION environment variable to use for the package version, but it falls back to the current date if that's not set (one possible change: base the version number on the expiration date of the key, but that feels a little weird having a date-based version far in the future).

This is a draft PR, I still need to add a postinst script that removes any old keys that were added with apt-key. I wanted to get some feedback on the version and key ID selection earlier though. Example usage:

VERSION=2021.02.04 ./scripts/build-deb-keyring.sh 23E7166788B63E1E

@Daniel15, you were offering to review in #7866 😉

Also added a Recommends relationship from the yarn package to the
yarn-archive-keyring package.
@Daniel15
Copy link
Member

Thank you! I haven't forgotten about this; I'll likely have time to review it over the weekend :)

@Daniel15
Copy link
Member

Sorry I took so long to get around to this. This looks good to me. I wonder if it should go in the releases repo (https://github.com/yarnpkg/releases) given it's related to the release infra rather than Yarn itself.

As an alternative to this, I could extend the key to be valid for 5 years, or maybe just remove the expiration. What do you think? I'd need to assess the security risks of that.

@softorangetech1122
Copy link

Can you please read the important note and migrate this PR to yarnpkg/berry? This repository is frozen

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants