Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

debian repository instructions improvements #13

Merged
merged 5 commits into from
Feb 14, 2018
Merged

debian repository instructions improvements #13

merged 5 commits into from
Feb 14, 2018

Conversation

anarcat
Copy link
Contributor

@anarcat anarcat commented Mar 14, 2017
edited
Loading

this change allows people to setup the Grml repositories without trusting them with base packages and will enforce the signature on the repository as well instead of trusting the upstream grml-debian-archive package which could be hijacked.

it also adds a preferences sample file and a way to install the keyring without downloading the package, which fails on stretch.

@anarcat
add signed-by and preferences directives
7839bdf 
this change allows people to setup the Grml repositories without trusting them with base packages and will enforce the signature on the repository as well instead of trusting the upstream `grml-debian-archive` package which could be hijacked.
@anarcat
add architectures and stable to .sources file
1155ac1 
otherwise adding just stable yields a warning on ARM
@anarcat
more docs on preferences
152f4a5 
link to the manpage and suggest a filename
@anarcat
add workaround for keyring issue
5272526 
the docs don't clearly say how to deploy the keyring, just installing the package fails on Debian stretch
@anarcat anarcat changed the title add signed-by and preferences directives debian repository instructions improvements Mar 14, 2017
@anarcat
fixup apt pinning
3a17aaf 
use more liberal pin (`100`) which allows upgrading packages while respecting default release policies. also use the `archive` name instead of none-existent suite name
@anarcat
Copy link
Contributor Author

anarcat commented Mar 19, 2017

i understand there were some concerns about the apt pinning here, which were mostly expressed over IRC.

i understand those concerns. however, i would still like this to be merged. in 3a17aaf, i've made an explicit effort to make packages upgradable while retaining a lower priority than official debian packages.

thanks for reconsidering!

@anarcat
Copy link
Contributor Author

anarcat commented Mar 22, 2017

another thought: the OpenPGP key that signs the Grml apt repo shouldn't be installed in /etc/apt/trusted-gpg.d. It should be installed in another arbitrary location (e.g. /usr/share/keyrings/grml-archive.gpg) and the sources.list file should point to it with signed-by=/usr/share/keyrings/grml-archive.gpg.

this way the Grml archive key couldn't be abused to sign the official archives.

@anarcat
Copy link
Contributor Author

anarcat commented Mar 22, 2017

note that i have turned this into a more complete proposal in the Debian wiki:

https://wiki.debian.org/RepositoryInstructions

it should be noted that my previous comment about using a file for signed-by only applies to stretch or later, and will break in jessie. therefore the current instructions are correct.

there are, however, recommendations in the above proposal that are not currently implemented in the grml repo, most notably #14.

@formorer formorer merged commit 65c3d43 into grml:master Feb 14, 2018
@anarcat anarcat deleted the patch-1 branch February 14, 2018 18:59
@anarcat
Copy link
Contributor Author

anarcat commented Feb 14, 2018

i'm pretty sure you're not going to like this, but FWIW, the instructions changed. the recommended location for keyrings is now in /usr/share/keyrings/deriv-archive-keyring.gpg and the keyring file should be used instead of the fingerprint, so that keyrings affect only one repository, removing the cross-site signing attack.

@mika
Copy link
Member

mika commented Feb 14, 2018

@anarcat heh, this is the good thing about merging this so late (sorry for that, all of us pretty overloaded :-/), any chance you might provide an acccording PR for us? (rest assured, will be merged much faster this time ;)) thx!

@anarcat anarcat mentioned this pull request Feb 15, 2018
Merged
@anarcat
Copy link
Contributor Author

anarcat commented Feb 15, 2018

alright, i opened #21 about that, but do note that this won't be sufficient: changes to the grml-archive-keyring will also be necessary, as the PR details.

@anarcat
Copy link
Contributor Author

anarcat commented Feb 15, 2018

... and that's done in grml/grml-debian-keyring#3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@anarcat @mika @formorer