Re: Facilitating external repositories

To: Timo Weingärtner <tiwe@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Facilitating external repositories
From: Wouter Verhelst <wouter@debian.org>
Date: Sat, 9 Nov 2019 19:20:44 +0200
Message-id: <[🔎] 20191109172044.GD18553@grep.be>
In-reply-to: <[🔎] 7154107.ZLNxeNa7KG@timo01.tiwe.de>
References: <[🔎] 20191103173534.GB4259@grep.be> <[🔎] 7154107.ZLNxeNa7KG@timo01.tiwe.de>

Hi Timo,

On Sun, Nov 03, 2019 at 07:33:10PM +0100, Timo Weingärtner wrote:
> Hallo Wouter Verhelst,
> 
> 03.11.19 18:35 Wouter Verhelst:
> > The software from the package downloads the metadata index and validates
> > the GPG signature; and if everything checks out, adds configuration to
> > /etc/apt/sources.list.d and /etc/apt/trusted.gpg.d to enable the
> > repository.
> 
> Please don't use /etc/apt/trusted* for 3rd-party repositories. If a key is in 
> there its owner can impersonate the official debian repos for default setups.¹ 
> Please use some other path (such as /var/lib/extrepo/keyrings/) for the 
> keyrings and connect it with "Signed-By:" [1].
> 
> I just changed my /etc/apt/sources.list.d/debian.sources to have:
> Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

Thanks. I agree that makes sense; I've updated the code as such.

-- 
To the thief who stole my anti-depressants: I hope you're happy

  -- seen somewhere on the Internet on a photo of a billboard

Reply to:

Follow-Ups:
- Re: Facilitating external repositories
  - From: Wouter Verhelst <wouter@debian.org>

References:
- Re: Facilitating external repositories
  - From: Wouter Verhelst <wouter@debian.org>
- Re: Facilitating external repositories
  - From: Timo Weingärtner <tiwe@debian.org>

Prev by Date: Re: Usage of DEP5
Next by Date: Re: apt: deprecate /etc/apt/trusted*
Previous by thread: Re: apt: deprecate /etc/apt/trusted*
Next by thread: Re: Facilitating external repositories
Index(es):
- Date
- Thread