On Mon, May 01, 2023 at 06:24:24PM +0200, Rainer Dorsch wrote: > Am Montag, 1. Mai 2023, 14:40:18 CEST schrieben Sie: > > On Wed, 29 Mar 2023 22:58:35 +0200 Rainer Dorsch <m...@bokomoko.de> wrote: > > > according to > > > https://linuxnews.de/2021/04/10/debian-11-repositories-aus-3-hand-ohne-apt > > > -key-einbinden/ Debian 12 supports and requires a safer way to import keys > > > for 3rd party repos. If that is the case, I suggest to add this to the > > > release notes, since it is a nice security enhancement feature. > > hi this sounds interesting - i can help develop some text, but you > > will need me more info on what the new feature is: the webpage > > you link to is in german, but the title says debian 11, and the first > > links is to a wiki page giving instructions for 'stretch or later'. > > The bit about writing > > 'signed-by' in sources.list has been available since, i think, buster.... > > > > so is there actually a new feature for debian 12? > > I am not the expert, therefore I copy the apt team to confirm if that is a > new > feature. > > The webpage says that the new part in Debian 12 is that you cannot use the > legacy way to add 3rd party sources anymore (using apt-key).
As the article correctly says, apt-key in the usage mentioned in it is sorta recommended against since 2010 … so, not exactly new. We changed/ added new stuff over the last 13 years, sure, but that apt-key fails for "normal" users is the case since at least 2017 (as it requires gnupg and that isn't a dependency of apt anymore since 2016). We had hopes to get right of it, but I actually ended up vetoing the remove that was advertised (and the article has picked up) as apt-key has use cases which aren't replaced (and for technically reasons, apt needs the code it contains, so the "remove" would have just been a move to a different place) for which we don't have a replacement yet, so all the removal would have achieved is annoy people and as annoyed people tend to show up at our doorsteps, I tend to prefer to avoid that. > wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor | > sudo tee /usr/share/keyrings/signal-archive-keyring.gpg For the record: That is broken™ as it requires g(nu)pg, which as said is not installed by default. On the upside, you can just drop the "gpg --dearmor" from that command as apt can work with armored keys just fine and most tools/users will prefer strange text files (which armor means) compared to an opaque binary file. Those files need an '.asc' extension on disk through or apt will indeed be confused. It is also usually not a good idea to store "random" files in places usually managed by your package manager (aka dpkg). You can use the directory /etc/apt/keyrings/ for that – with recent apt versions that directory already exists, if not, you can just create it without issue. > has to be used and /etc/apt/sources.list(.d) has to be adapted accordingly: > > deb [signed-by=/usr/share/keyrings/signal-archive-keyring.gpg] https:// > updates.signal.org/debian/ stable main You can use that. There are other ways like embedding the key directly into a .sources file. You don't have to. Debian itself doesn't for its own various repositories. It also depends on what your 3rd party actually provides you – like, in an ideal world it is their job to provide you with the details of how to properly add them. I also take a bit of an issue at the notion of that improving security. Sure, you can construct situations in which it actually does, but at the end of the day you grant full root rights to every repository you add and use, so in the grant scheme of things it does change nothing (much). (The only notable improvement is actually that if you use that sort of scheme you can't have old keys accepted from repos you removed again for other repos) > I understood: Debian 12 enforces the secure way of adding 3rd party sources. > > I assume, if somebody used the old way to include 3rd party sources, he has > to > do something to keep the functionality. No. What is "new" is that apt warns about /etc/apt/trusted.gpg which is the file keys end up in if you have installed them with 'apt-key add -' or similar. It still works, apt just prefers not using the file and complains if it has to. No "enforcement", Debian 13 might drop support for that file if the warning works out, but we will see. We might need a release notes entry at that point as (then) 15+ years feels very rushed for a transition… 😜 So, long story short, I don't think this deserves a release notes entry as those who have to act in the long term get a message by apt (and the proper reaction might simply be to not use those crappy 3rd party sources anymore if they can't be bothered to write better instructions). There is a lot of bad advise given about how to add 3rd party sources, but I don't think it is the release notes job to explain how to do that properly (and, as said, it varies a bit by 3rd party). As a sidenote – not a recommendation from me as I never used it myself – the package "extrepo" is supposed to help with the usecase of adding 3rd party repositories; it isn't new either but feel free to check it out. Best regards David Kalnischkies
signature.asc
Description: PGP signature