Re: Facilitating external repositories
Hi Timo,
On Sun, Nov 03, 2019 at 07:33:10PM +0100, Timo Weingärtner wrote:
> Hallo Wouter Verhelst,
>
> 03.11.19 18:35 Wouter Verhelst:
> > The software from the package downloads the metadata index and validates
> > the GPG signature; and if everything checks out, adds configuration to
> > /etc/apt/sources.list.d and /etc/apt/trusted.gpg.d to enable the
> > repository.
>
> Please don't use /etc/apt/trusted* for 3rd-party repositories. If a key is in
> there its owner can impersonate the official debian repos for default setups.¹
> Please use some other path (such as /var/lib/extrepo/keyrings/) for the
> keyrings and connect it with "Signed-By:" [1].
>
> I just changed my /etc/apt/sources.list.d/debian.sources to have:
> Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Thanks. I agree that makes sense; I've updated the code as such.
--
To the thief who stole my anti-depressants: I hope you're happy
-- seen somewhere on the Internet on a photo of a billboard
Reply to: