[Research] Research on better ways to handle rotation of various packagecloud keys
Followup from #356 (closed). We should look into ways of making users (and our) lives easier when we have to rotate various keys related to Packagecloud.
Copying the comment regarding keyring packages:
- We will need keyring packages for all the OSs for
Recommends
to work, which means we need to either remember to do this manually when we add an OS (which is obviously inefficient), or we should add this to the CI pipeline (which means another set of CI jobs for all the OSs - not to be run always, but only when keys actually change, which means more gating on the codebase either by an env variable or by some other logic). - If we were to look at building one deb package and one rpm package, and copy it to all the OS directories, that still means more code and more conditionals. Or maybe a different project/repo but the problem of "remember to do this when you add a new OS" will still happen.
- System admins preventing installation of packages with Recommends relation by a policy is not that uncommon.
- How often do we expire repo signing keys? If it is only every 2/5 years, I fear if more code for such a relatively infrequent event will be a bit of over-engineering.
- A random package updating their trusted keys all of a sudden may not be acceptable to many users. For the initial installation script, they had the option to check the script and verify what it did, but in this case, they will only know this happened if they looked in the right place.