Comment 2 for bug 833053

Revision history for this message
Sebastian Heinlein (glatzor) wrote :

We need a trusted way to get the path to license key. It should not be possible to drop a custom file by just specifying the path in a possible AddLicenseKey call of aptdaemon. This could be misused to drop malicious plugins or configuration snippets (/opt/pkgname/conf.d). Since we already have got a trust relation to the package repository it would be nice to store the key in the package control fields.

Open question would be if we specify only the directory or the whole license key path and name in the package records? If we want to support multiple license keys per package we could only store the path in the records and s-c would need to choose a name.