Re: Access to PPA's

To: debian-user@lists.debian.org
Subject: Re: Access to PPA's
From: Jochen Spieker <ml@well-adjusted.de>
Date: Wed, 7 Apr 2021 23:58:19 +0200
Message-id: <[🔎] 20210407215819.GA5813@well-adjusted.de>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 3418a831-acd6-5cb9-9edd-1846acf61b71@gmail.com>
References: <[🔎] 3418a831-acd6-5cb9-9edd-1846acf61b71@gmail.com>

Gary L. Roach:
> 
> Some of my most useful software is only available through Ubuntu PPA's . I
> can no longer access PPA's since Debian changed their security policies.
> When trying to access a PPA I get the following:
> 
>  The repository
> 'http://ppa.launchpad.net/elmer-csc-ubuntu/elmer-csc-ppa/ubuntu hirsute
> Release' does not have a Release file.
> N: Updating from such a repository can't be done securely, and is therefore
> disabled by default.
> N: See apt-secure(8) manpage for repository creation and user configuration
> details.
> 
> 
> The man page alludes to a couple of different ways to bypass the system but
> really sketchy about how to apply them. There is at least a half dozen files
> that could be involved.

I do not find that confusing or sketchy:

| You can force all APT clients to raise only warnings by setting the
| configuration option Acquire::AllowInsecureRepositories to true.
| Individual repositories can also be allowed to be insecure via the
| sources.list(5) option allow-insecure=yes.

You can set Acquire::AllowInsecureRepositories in, for example,
/etc/apt/apt-conf.d/local. This is a standard apt configuration
mechanism, see apt.conf(5). For individual repositories you are referred
to sources.list(5) which mentions this format:

|  deb [ option1=value1 option2=value2 ] uri suite [component1] [component2] […]

So you can just add allow-insecure=yes after the "deb" keyword (and the
following whitespace) like so:

deb [allow-insecure=yes] http://deb.debian.org/debian/ buster main

Do you understand the implications of this? It basically means that apt
will be unable to protect you from installing manipulated packages.
Without a Release file, there is no crpytographic signature that could
ensure that the packages you are installing contain what the PPA author
intends them to contain.

> Further, there is a note that basically says that
> all of the methods will be discontinued in the future.  This would
> essentially  preclude the use of Ubuntu PPA's.

Using packages compiled for a different distribution is always a bad
choice. I understand you are saying it is your only choice, but it is
still bad and has a high chance of leading to problems. You might be
better off using the targeted distribution instead. Not necessarily on
bare metal, maybe a VM, a chroot or a container image serve your
purposes better.

J.
-- 
There is no justice in road accidents.
[Agree]   [Disagree]
                 <http://archive.slowlydownward.com/NODATA/data_enter2.html>

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Access to PPA's
  - From: "Gary L. Roach" <garyroach719@gmail.com>

Prev by Date: Re: Sound issue in bulleye with USB Headset and Internal Audio
Next by Date: Re: Access to PPA's
Previous by thread: Access to PPA's
Next by thread: Re: Access to PPA's
Index(es):
- Date
- Thread