Control: reassign wiki.x2go.org Control: retitle -1 Update GPG key bootstrapping instructions for Debian Control: close -1
* On 8/24/19 7:06 PM, Mihai Moldovan wrote: > Control: reassign -1 packages.x2go.org > > >> N: An update from such a repository cannot be done in a secure way, so >> it is disabled by default. > > The x2go-keyring package is available for Debian buster, includes the required > key file and should work just fine. > > However, newer apt versions will disallow downloading from an untrusted > repository. > > In order to actually install the keyring package, try running something like: > sudo apt-get --allow-unauthenticated install x2go-keyring > > Afterwards, sudo apt update should not return an error again. Do not use the > --allow-unauthenticated flag without understanding its implications. That wasn't correct - at least not completely. --allow-unauthenticated should work for package installations, but not for downloading repository metadata. To allow apt to work with unauthenticated repository metadata, users would need to use something like: apt-get update --allow-insecure-repositories This said: this is totally risky, now and later. Installing packages from an unauthenticated repository doesn't give apt any chance to check the origin. A successful Man-in-the-Middle attack is very likely in such a scenario. Worse, even after the initial bootstrap, all subsequent operations and packages from such a repository could still be malicious. I've updated https://wiki.x2go.org/doku.php/wiki:repositories:debian et al with this information, big fat warning signs and explanations. **Users should always bootstrap with the currently valid GPG key and then install the x2go-keyring package from the validated X2Go repository location!** Closing up here. Mihai
signature.asc
Description: OpenPGP digital signature
_______________________________________________ x2go-dev mailing list x2go-dev@lists.x2go.org https://lists.x2go.org/listinfo/x2go-dev
