-
-
Notifications
You must be signed in to change notification settings - Fork 580
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: store ddev.gpg in keyrings instead of trusted.gpg.d #5172
docs: store ddev.gpg in keyrings instead of trusted.gpg.d #5172
Conversation
Please take a look at and There's more to be done than just this little bit. But those will give you more context. Definitely want to do it, would like to do more than you have here. |
Setting access rights corresponding to https://docs.docker.com/engine/install/ubuntu/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we'll want to make the changes more than just in the docs. If you want to take that on it's welcome. See the previous PR, for example, and the discussion in the previous issue.
Please be more precise. What else do you expect? |
The things that have to be done are listed in the initial comment, #5172 (comment) - Just search for the many places that have to be changed as was done in #4961 and do them. That PR had a number of problems, but the idea was right. |
On Ubuntu systems keys stored in /etc/apt/trusted.gpg.d validate packages for the whole linux installation. Custom sources should not use this directory for storing their keys as this creates a vulnerability. See https://www.digitalocean.com/community/tutorials/how-to-handle-apt-key-and-add-apt-repository-deprecation-using-gpg-to-add-external-repositories-on-ubuntu-22-04 for detailed explanation.
Set propper access rights when creating /etc/apt/keyrings.
9a8214e
to
e8c21f1
Compare
I'm working on adding a commit to do the things. |
Co-authored-by: hakre <hanskrentel@yahoo.de>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See #4960 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR introduces two different locations for the keys, one in /usr/share/keyrings
and a second in /etc/apt/keyrings
, I think we should use one only!
@gilbertsoft The PR uses /usr/share/keyrings only for deb.sury.org packages, and it's because that's what they currently recommend for their case. https://packages.sury.org/php/README.txt |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the additional information. I had a look at the various links and it looks fine to me.
The Issue
On Ubuntu systems keys stored in /etc/apt/trusted.gpg.d validate packages for the whole linux installation. Custom sources should not use this directory for storing their keys as this creates a vulnerability.
See https://www.digitalocean.com/community/tutorials/how-to-handle-apt-key-and-add-apt-repository-deprecation-using-gpg-to-add-external-repositories-on-ubuntu-22-04 for detailed explanation.
How This PR Solves The Issue
Storing the ddev.gpg key in /etc/apt/keyrings/ mitigates this vulnerability.
Manual Testing Instructions
Release/Deployment Notes