Re: Repo. ppa.launchpad.net

To: debian-user@lists.debian.org
Subject: Re: Repo. ppa.launchpad.net
From: Richmond <richmond@criptext.com>
Date: Thu, 13 May 2021 21:42:41 +0100
Message-id: <[🔎] 841raas6v2.fsf@example.com>
References: <[🔎] 84cztw2sas.fsf@example.com> <[🔎] 84o8dfb208.fsf@example.com> <[🔎] 84k0o3azud.fsf@example.com> <[🔎] 202105131148.37413.linux@stefan-krusche.de> <[🔎] YJ0GeJpxH6+vW4ln@wooledge.org> <[🔎] 20210513150953.GB6859@axis.corp> <[🔎] 848s4iskry.fsf@example.com> <[🔎] 20210513190327.GA21187@axis.corp>

David Wright <deblis@lionunicorn.co.uk> writes:

> On Thu 13 May 2021 at 16:42:09 (+0100), Richmond wrote:
>> David Wright <deblis@lionunicorn.co.uk> writes:
>> 
>> > I'm surprised it doesn't do a quick upgrade while it's about it.
>> > Anyway, that's what I call self-inflicted.
>> 
>> Those aren't the instructions given on the Signal website.
>
> As you prefer. I typed   signal debian   into google and clicked on
> the top link:
>   https://signal.org › download
> which took me to
>   https://signal.org/en/download/
> I clicked on the blue   Download for Linux   button, and the following appeared:
>
>   Linux (Debian-based) Install Instructions
>
>   # NOTE: These instructions only work for 64 bit Debian-based
>   # Linux distributions such as Ubuntu, Mint etc.
>
>   # 1. Install our official public software signing key
>   wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > signal-desktop-keyring.gpg
>   suXdo mv signal-desktop-keyring.gpg /usr/share/keyrings/
>
>   # 2. Add our repository to your list of repositories
>   echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main' |\
>     suXdo tee -a /etc/apt/sources.list.d/signal-xenial.list
>
>   # 3. Update your package database and install signal
>   suXdo apt update && suXdo apt install signal-desktop
>
> Comparing this with what I posted before, I see that curl (Optional)
> is replaced by wget (Standard), and one can assume the latter
> is already installed.
>
> Step 1 differs in that it stores the .gpg key instead of .asc.
> I'm not aware of any significance in one format or the other.
>
> Step 2 differs in that a specific key is used for verification,
> rather than any key on the keyring.
>
> Step 3 is identical.
>
> Comments as before.


The command being piped to sudo, which you are concerned about, in the
second version is the output from echo, which is the deb
command. So it is doing what it says it is doing, adding the repo. The
key is validated by gpg.

The curl version is dubious because it doesn't validate the key, so it
could contain a ; and some other commands. But I don't know why anyone
would follow those instructions for students.

None of this shows that installing signal added the ppa.launchpad.net
repo.. So it is not self inflicted.

Reply to:

Follow-Ups:
- Re: Repo. ppa.launchpad.net
  - From: David Wright <deblis@lionunicorn.co.uk>

References:
- Repo. ppa.launchpad.net
  - From: Richmond <richmond@criptext.com>
- Re: Repo. ppa.launchpad.net
  - From: Richmond <richmond@criptext.com>
- Re: Repo. ppa.launchpad.net
  - From: Richmond <richmond@criptext.com>
- Re: Repo. ppa.launchpad.net
  - From: Stefan Krusche <linux@stefan-krusche.de>
- Re: Repo. ppa.launchpad.net
  - From: Greg Wooledge <greg@wooledge.org>
- Re: Repo. ppa.launchpad.net
  - From: David Wright <deblis@lionunicorn.co.uk>
- Re: Repo. ppa.launchpad.net
  - From: Richmond <richmond@criptext.com>
- Re: Repo. ppa.launchpad.net
  - From: David Wright <deblis@lionunicorn.co.uk>

Prev by Date: Re: How to reference xxxdvd1.iso in sources.list
Next by Date: need help on playing m3u8 file with mplayer
Previous by thread: Re: Repo. ppa.launchpad.net
Next by thread: Re: Repo. ppa.launchpad.net
Index(es):
- Date
- Thread