[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Repo. ppa.launchpad.net

On Thu 13 May 2021 at 21:42:41 (+0100), Richmond wrote:
> David Wright <deblis@lionunicorn.co.uk> writes:
> > On Thu 13 May 2021 at 16:42:09 (+0100), Richmond wrote:
> >> David Wright <deblis@lionunicorn.co.uk> writes:
> >> 
> >> > I'm surprised it doesn't do a quick upgrade while it's about it.
> >> > Anyway, that's what I call self-inflicted.
> >> 
> >> Those aren't the instructions given on the Signal website.
> >
> > As you prefer. I typed   signal debian   into google and clicked on
> > the top link:
> >   https://signal.org › download
> > which took me to
> >   https://signal.org/en/download/
> > I clicked on the blue   Download for Linux   button, and the following appeared:
> >
> >   Linux (Debian-based) Install Instructions
> >
> >   # NOTE: These instructions only work for 64 bit Debian-based
> >   # Linux distributions such as Ubuntu, Mint etc.
> >
> >   # 1. Install our official public software signing key
> >   wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > signal-desktop-keyring.gpg
> >   suXdo mv signal-desktop-keyring.gpg /usr/share/keyrings/
> >
> >   # 2. Add our repository to your list of repositories
> >   echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main' |\
> >     suXdo tee -a /etc/apt/sources.list.d/signal-xenial.list
> >
> >   # 3. Update your package database and install signal
> >   suXdo apt update && suXdo apt install signal-desktop
> >
> > Comparing this with what I posted before, I see that curl (Optional)
> > is replaced by wget (Standard), and one can assume the latter
> > is already installed.
> >
> > Step 1 differs in that it stores the .gpg key instead of .asc.
> > I'm not aware of any significance in one format or the other.
> >
> > Step 2 differs in that a specific key is used for verification,
> > rather than any key on the keyring.
> >
> > Step 3 is identical.
> >
> > Comments as before.
> 
> The command being piped to sudo, which you are concerned about, in the
> second version is the output from echo, which is the deb
> command. So it is doing what it says it is doing, adding the repo.

No, I can read echo too; it's the command before that one. I wrote:
   "I notice that it pipes the output of curl straight into sudo'd
    commands without a care in the world"
and the second version uses "wget -O-" ≡ "curl -s".

> The key is validated by gpg.
> 
> The curl version is dubious because it doesn't validate the key, so it
> could contain a ; and some other commands.

I don't see any validation of the key. IOW I don't see who is
represented by that key. You could just check the signal .deb file
against a SHA sum published on their page. That's what I meant.

The only difference appears to be that the first post puts the
ascii version onto the keyring, whereas the second puts the
binary version. I assume apt is unfazed by the difference.

> But I don't know why anyone
> would follow those instructions for students.

That was the first set. The second set of instructions was on
https://signal.org   and I assume that's the homepage for signal.
I presume that people would follow them to install the package,
and that you didn't. (I don't know what you did.)

> None of this shows that installing signal added the ppa.launchpad.net
> repo..

That wasn't my intent: Greg had dealt with that, in that one can
examine /var/lib/dpkg/info/*.p* for any "foreign" packages, and
read what they would have done when one installed them.

> So it is not self inflicted.

The sysadmin who executes the echo line above (step 2) would be the
person who added the repository, so that would be self-inflicted.
Where I wouldn't use that term in when the change was indirectly
made in, say, a script that was itself downloaded.

Let me make it clear: this is not an accusation against you.
All you did was to mention "signal", whereupon I showed how somebody
might follow foreign instructions for installing a foreign package,
casually add a line to their sources.list, and, job done, forget all
about it. Signal just happened to be a perfect example, in that one
could cut and paste either of those instruction sets off the screen,
all without really digesting what they did. Again, not an accusation.

We're casting around for explanations of how a line like
http://ppa.launchpad.net/audio-recorder/ppa/ubuntu
got into *your* sources.list. I can only make suggestions about
possible mechanisms, not determinations. You're the one who presumably
wants to do that.

Cheers,
David.
Reply to: