Timber.io is being deprecated

[jdrouet]

Hey 👋
The vector official debian repository is switching from timber.io to vector.dev (see here).
This repository should be changed accordingly.

[ypid]

extrepo can handle repo URL and GPG keys for you. I recently updated extrepo-data https://salsa.debian.org/extrepo-team/extrepo-data/-/merge_requests/275

I use extrepo to setup the vector repo on Debian as well as Ubuntu without issues.

[jdrouet]

I think it would be best to use Datadog's repository and their keys to avoid security issues

[ypid-work]

The case for extrepo is that it is in Debian. So you can install extrepo and its GPG key from Debian where APT uses GPG to validate extrepo. Then extrepo uses GPG to retrieve external metadata and repo GPG keys. So there is a chain of trust from Debian down to the external repo like vector. It can be audited.

If you don’t trust that, you could self host the extrepo metadata. In the future, extrepo-offline-data will become usable in Debian Stable and thus even simplify this.

It comes down to maintenance vs. security. And extrepo is arguably better than using bash -c "$(curl -L https://setup.vector.dev)" from https://vector.dev/docs/setup/installation/package-managers/apt/

or

- name: Install Vector (Debian)
  apt:
    deb: "https://packages.timber.io/vector/{{ version }}/vector_{{ version }}-1_{{ arch }}.deb"
    install_recommends: yes

which is currently used by this role.

At DebOps extrepo is used to offload the work of key rotations and repo changes to one single place and Ansible and other config management software can use alike.