I think we reached somewhat of an agreement that net-update is a bad idea and should not be done. It also depends on gnupg.
We should eventually consider developing something else, but I'm not sure how that would look like. Currently, there is no way to revoke keys except through packages, basically, which is a security issue. We need to provide signed keyfiles on different locations that apt can download so an attacker cannot use a broken key and MITM exisiting repositories forever.
I think we reached somewhat of an agreement that net-update is a bad idea and should not be done. It also depends on gnupg.
We should eventually consider developing something else, but I'm not sure how that would look like. Currently, there is no way to revoke keys except through packages, basically, which is a security issue. We need to provide signed keyfiles on different locations that apt can download so an attacker cannot use a broken key and MITM exisiting repositories forever.