leap-archive-keyring should not install a globally valid trust anchor
(This is a copy of a bug reported in Debian as #880220. It is copied here because changes in Debian would require changes in install instructions on the website as well.]
This package installs a keyring in /etc/apt/trusted.gpg.d which is great as it allows people to easily install LEAP applications by leveraging the trust path already in Debian.
It does, however, mean that LEAP could, in theory, sign releases for the official Debian archive, which is probably not what you want. There are some efforts underway to standardize a process for third-party repositories like LEAP, and the current proposal is to store those certificates in /usr/share/keyrings/ instead. See:
Then that key can be refered to in the sources.list, which connects the repository with its trust anchor without polluting the global trust space:
deb [signed-by=/usr/share/keyrings/deriv-archive-keyring.gpg] https://deriv.example.net/debian/ stable main
In the case of LEAP, this would probably be something like:
sudo sh -c 'echo "deb [signed-by=/usr/share/keyrings/leap-archive-keyring.gpg] http://deb.leap.se/client release stretch" > /etc/apt/sources.list.d/bitmask.list'
I would also recommend setting up a pinned preferences file in the archive as well, to keep the sources.list from upgrading random packages from the main archive. I guess the preferences file could look something like:
Package: bitmask* python-sqlcipher python-leap-common soledad* Pin: origin deb.leap.se Pin-Priority: 100
I would be happy to help you make those changes if you accept.