Checking sources: dscverify and debian-keyring

diff --git a/README.md b/README.md
index f72b32bb0dcedaf3cab10cc03b7c45693c01da38..d9d173d10380a64bb1ea20384659815be04ab62e 100644 (file)
--- a/README.md
+++ b/README.md
@@ -8,6 +8,10 @@ to Debian.
 These notes are mainly references to the detailed Debian/Ubuntu documentations we're using in
 the course of learning the intricacies of Debian packaging.
 
+Grab this repository using
+
+    git clone --recursive git://git.sarava.org/debian.git
+
 Configuration files
 -------------------
 

diff --git a/TODO.md b/TODO.md
index bc63e1d061364a21b22e8984cbb3a216bdc3ba08..bb5074174127d244b4f7af190ff8077af4408f71 100644 (file)
--- a/TODO.md
+++ b/TODO.md
@@ -1,6 +1,11 @@
 TODO
 ====
 
+Repositories
+------------
+
+* Merge all `build-area` folders.
+
 Backport
 --------
 

diff --git a/basics.md b/basics.md
index 166b31ee0156978479d0fecacff28db403a1c1fb..dd43c1b6f446f39b888f140149778a0e563f0c77 100644 (file)
--- a/basics.md
+++ b/basics.md
@@ -16,21 +16,52 @@ Using `apt-get`:
 Checking the source
 -------------------
 
-Get the key if needed
+This is the trick part. In theory, you could run just
 
-    gpg --recv-keys 12345678
+    dscverify *.dsc
 
-Checking the source
+Which would check if the signature was made for a key included in the `debian-keyring` package.
 
-    dscverify *.dsc
+In practice, it should always work for sources you download from the **same** Debian version you're running.
+But sources you download from newer versions might not work, depending basically if the maintainer's key is
+already on the `debian-keyring` you installed.
 
-Extracting:
+If not, you might try to have a newer copy of the `debian-keyring` somewhere. We already provide one in the
+form of git://anonscm.debian.org/keyring/keyring.git available as a git submodule in the `keyring` folder:
 
-    dpkg-source -x *.dsc
+    gpg --no-default-keyring --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg --verify *.dsc
+
+Or you can use the following alias:
+
+    dscverify='dscverify --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg'
+
+This assumes that you initialized the `keyring` submodule and compiled the keyrings:
+
+    ( cd keyring && make )
+
+We use `--no-default-keyring` to make sure `gpg` just looks for the key in the `debian-maintainers` keyring.
+
+Another option is to get the specific key:
+
+    gpg --recv-keys 12345678
+
+Either way, you have to have a criteria about how much trust you should give to the keyring or the pubkey 
+you just downloaded. The same goes for software you're porting to Debian and that you can't actually check
+it's signature against `debian-keyring`.
 
 See also:
 
+* `dscverify(1)` manpage.
+* [Debian Public Key Server](http://keyring.debian.org/).
 * [apt get - How to get apt-get source verification working? - Super User](https://superuser.com/questions/626810/how-to-get-apt-get-source-verification-working).
+* [Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY - Server Fault](http://serverfault.com/questions/337278/debian-how-can-i-securely-get-debian-archive-keyring-so-that-i-can-do-an-apt-g/337283#337283).
+
+Extracting the source
+---------------------
+
+If needed, do this after your successfully verified the sources:
+
+    dpkg-source -x *.dsc
 
 Getting dependencies
 --------------------