Suggestion: Make the deb packages self-bootstrapping

[lengau]

Describe the feature or problem you’d like to solve

Adding the Debian/Ubuntu repository currently is not nearly as convenient as on other platforms and includes potentially installing other software (curl, which is not part of the base Debian install), manually placing a file into a package manager-controlled directory, and manually creating the source entry. For various reasons (network issues, typos if manually typed into a machine without a browser, etc.), this series of long commands can be difficult to handle.

Additionally, when the current signing key expires on 2024-09-06, the current situation will result in a repeat of #6175 .

Rather, the deb packages should be self-bootstrapping like some other third-party software packaged for Debian and Ubuntu by their maintainers (e.g. Google Chrome). This will allow the keyring to be updated to include a new key before the expiry of the old key and, if a user still gets into a situation with an expired key, allow them to either reinstall from the deb file or upgrade bypassing authentication with `--allow-unauthenticated``

Proposed solution

Include the following additional files in the deb packages for gh:

1. /usr/share/keyrings/githubcli-archive-keyring.gpg - this should always be the latest keyring. When transitioning keys, this can include both the old and new keys. Once the transition is complete, it need only contain the latest key.
2. /etc/apt/sources.list.d/github-cli.list (or github-cli.sources) - this would contain the same value as the echo command in the install instructions currently in install_linux.md.
3. /etc/apt/preferences.d/github-cli.pref - this would contain a preferences file ensuring that the version of gh from the official repository is always pinned higher priority than a distro-provided package (even if that distro-provided package has a higher version number), and that any other packages would be lowest priority (and thus only installed from the github-cli repository if they don't exist in any other repositories).
4. An appropriate conffiles under control.tar.gz that lists both files placed in /etc as configuration files, thus allowing the administrator to change those files. (An alternative is also discussed in the Debian Maintainers' Guide.)

This is similar to a fully packaged version of the example on the Debian Wiki.

This way, a user may simply download a released deb file from the official releases page (either through their browser or via another means such as wget) and install it, automatically receiving updates (though this can then be disabled).

[mislav]

Thanks for the request. This looks like an excellent, actionable list of tips on how to improve our Debian packaging. 👍

And thanks for the PR too! 🚀