[Samba] Debian Bullseye Samba 4.15 online now. Amd64/i386/armhf/arm64
Lorenz Schori
lo at znerol.ch
Thu Sep 30 09:59:08 UTC 2021
Hi,
On Thu, 30 Sep 2021 11:39:05 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> [...]
> The repo setup for Bullseye has changed a bit.
>
> Conform debian policy.
> wget -O- https://apt.van-belle.nl/louis-van-belle.gpg-key.asc |\
> gpg --dearmor | sudo tee
> /etc/apt/trusted.gpg.d/louis-van-belle.gpg > /dev/null
> [...]
Thanks for maintaining this repos. Please follow the Debian
recommendations and do not instruct people to place third-party keys
into /etc/apt/trusted.gpg.d. They should be placed in
/usr/share/keyrings instead, according the Debian wiki:
https://wiki.debian.org/DebianRepository/UseThirdParty
The key MUST be downloaded over a secure mechanism like HTTPS
to a location only writable by root, which SHOULD be
/usr/share/keyrings. The key MUST NOT be placed in
/etc/apt/trusted.gpg.d or loaded by apt-key add.
Dropping third party keyrings into /etc/apt/trusted.gpg.d is equally
bad as using apt-key for the exact same reasons. It looks like this is a
widespread mistake (I did this too in the past). The following post
describes the problem accurately:
https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html
The reason for this change is that when adding an OpenPGP key
that's used to sign an APT repository to /etc/apt/trusted.gpg or
/etc/apt/trusted.gpg.d, the key is unconditionally trusted by
APT on all other repositories configured on the system that
don't have a signed-by (see below) option, even the official
Debian / Ubuntu repositories. As a result, any unofficial APT
repository which has its signing key added to
/etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d can replace any
package on the system. So this change was made for security
reasons (your security).
Cheers,
Lorenz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20210930/a17ab8fe/attachment.sig>
More information about the samba
mailing list