1816076 - deb: Create a keyring package for the day we rotate the apt signing key or the day we change provider

Status: NEW

(Release Engineering :: General, task, P3)

Description

[Johan Lorenzo [:jlorenzo]]

In the RRA (bug 1804741), we discussed how we should prevent vendor lock-in in case we want to migrate the APT repository elsewhere. We currently plan to host the APT repository on Google Artifact Registry (which is a GCP product). The plan below is not to be enacted today, it's just a plan for a potential future situation.

The vendor lock-in problem was raised because Google owns the private key in charge of gpg-signing the APT repo metadata. This means if we were to go to a different location, we must gpg-sign the metadata with a different key. In order words, we have to rotate the signing key. Key rotation is actually a problem Debian repos also face. The way they solve this is pretty simple: they put the new public key alongside the old one in a package called debian-archive-keyring. Debian users have this package installed by default, meaning users will automatically get the new key, next time they run apt-get update && apt-get upgrade . Mozilla can definitely create a similar keyring package with the current Google Artifact Registry public key and the public key of the new location. We communicate and give users several months before we make the switch. Once the deadline is expired we redirect the DNS to the new repository location. This new location will be gpg-signed by the new key which is going to be already trusted by APT clients.

Hence, no vendor lock-in! Plus, we also solve the case where we move from one GCP data centers to another - if they happen to have different signing keys (which is not the case today).

Comment 1

[Gabriel Bustamante [:gabriel]]

This doesn't block the firefox-deb-repackage so I switched the bugs' relationship to "See Also"