On 2016-06-14 00:39, Simon Walter wrote:
> Well, maybe I didn't say it correctly. Is there already a devuan-keyring
> package on the iso-image?
It's a debootstrap install. There's no iso-image involved.
> My personal opinion is that keys should not be automatically downloaded
> and installed. But I am a bit paranoid.
I understand your reservations. However it does **not** trust the
keyring on the user system. It simply downloads it, issues a message it
was downloaded, and then passes the keyring file to the debootstrap
command for it to use validating packages. So it's completely safe.