Tim-
1. It would be a modest improvement if the various repos used the same GPG key.
2. The structure of the repos leads me to the conclusion that I should not give as much of my trust to the X.Y.Z>=1 releases as much as the X.Y.0 releases. I'm already buying into some measure of living on the edge by following you from 9.2.0 to 9.3.0 but you're telling me that 9.2.1 should be a separate opt-in.
1 has a simple reason: a good build process for a Docker image or a re-usable image for a VM probably should focus on installation rather than configuration. In particular, security configurations like the POOL password probably shouldn't end up in your image. So I don't want to use get_htcondor for that reason alone, although I understandÂthe motivation.
The most secure and would-work-even-in-environments-without-outbound-internet build process would allow me to download aÂsigning key thatÂidentifies the CHTC as a trusted source for all your repos. I could then use a local copy of that key for several years until you publicly announce a key rotation.
Status quo: I have to reconstruct the right key file from variables in get_htcondor.
Low on your priority list: but apt-key is deprecated in Debian 11; you're supposed to add "signed-by" a specific path to a key. Read up on it a bit, but it's a security improvement.
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}