[Samba] Debian Bullseye Samba 4.15 online now. Amd64/i386/armhf/arm64

Lorenz Schori lo at znerol.ch
Thu Sep 30 09:59:08 UTC 2021


On Thu, 30 Sep 2021 11:39:05 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> [...]
> The repo setup for Bullseye has changed a bit. 
> Conform debian policy. 
> wget -O- https://apt.van-belle.nl/louis-van-belle.gpg-key.asc |\
>     gpg --dearmor | sudo tee
> /etc/apt/trusted.gpg.d/louis-van-belle.gpg > /dev/null
> [...]

Thanks for maintaining this repos. Please follow the Debian
recommendations and do not instruct people to place third-party keys
into /etc/apt/trusted.gpg.d. They should be placed in
/usr/share/keyrings instead, according the Debian wiki:


	The key MUST be downloaded over a secure mechanism like HTTPS
	to a location only writable by root, which SHOULD be
	/usr/share/keyrings. The key MUST NOT be placed in
	/etc/apt/trusted.gpg.d or loaded by apt-key add. 

Dropping third party keyrings into /etc/apt/trusted.gpg.d is equally
bad as using apt-key for the exact same reasons. It looks like this is a
widespread mistake (I did this too in the past). The following post
describes the problem accurately:


	The reason for this change is that when adding an OpenPGP key
	that's used to sign an APT repository to /etc/apt/trusted.gpg or
	/etc/apt/trusted.gpg.d, the key is unconditionally trusted by
	APT on all other repositories configured on the system that
	don't have a signed-by (see below) option, even the official
	Debian / Ubuntu repositories. As a result, any unofficial APT
	repository which has its signing key added to
	/etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d can replace any
	package on the system. So this change was made for security
	reasons (your security).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20210930/a17ab8fe/attachment.sig>

More information about the samba mailing list