Bug#944102: create sources.list with signed-by

To: submit@bugs.debian.org
Subject: Bug#944102: create sources.list with signed-by
From: Timo Weingärtner <timo@tiwe.de>
Date: Mon, 04 Nov 2019 12:01:01 +0100
Message-id: <[🔎] 4111686.2fUJF2GYAm@timo01.tiwe.de>
Reply-to: Timo Weingärtner <timo@tiwe.de>, 944102@bugs.debian.org

Package: debian-installer
Severity: normal
Tags: d-i

Hallo,

debian-installer should create /etc/apt/sources.list (or /etc/apt/
sources.list.d/debian.sources) with:

[signed-by=/usr/share/keyrings/debian-archive-keyring.gpg]

With the current implementation any owner of a 3rd-party repository installed 
into /etc/apt/trusted* could impersonate the official Debian repositories.

(I have not investigated if per-release keyrings from debian-archive-keyring 
can be used reliably instead, but there is no keyring for bullseye right now.)


Grüße
Timo

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Prev by Date: Bug#880122: Bug#939798: floppy support in d-i
Next by Date: Bug#880122: Bug#939798: floppy support in d-i
Previous by thread: Processed: Re: Bug#939798: floppy support in d-i
Next by thread: Bug#935540: debian-installer: Errors on sources.list security repositories
Index(es):
- Date
- Thread