11/9/2023 0 Comments Debian sources.list![]() ![]() Fixing this appears to require improvements in apt, see 858406.Ĭertificate updates SHOULD be distributed by a Debian package called deriv-archive-keyring. different paths, different suites, or different components), then the proposed Pin: origin is incapable of distinguishing between them. ![]() ![]() Note that if the local system pulls multiple repositories from the same host (e.g. The "Deb822" file format MAY be used instead to improve clarity for complex entries (e.g. Debian's documented split) and the component names should concisely reflect that split.Įntries MUST be added in the /etc/apt/ directory using a shortened repository name (e.g. If there is a reason for splitting the repo into multiple components, the reason for the split should be clearly documented (e.g. If the repository has no reason to be split into multiple components, then the component name SHOULD be main. If the suite does not correspond to a target Debian release, the suite naming convention MUST be clearly documented. In other cases, the suite SHOULD be the string "stable", or it MAY be a repository-specific string describing the suite concisely. The suite entry SHOULD correspond to the target Debian release if the binaries are built for a specific suite. The signed-by entry MUST point to a file, and not a fingerprint. We also strongly recommend the use of HTTPS as it bypasses certain MITM attacks that would allow a hostile third party to inject OpenPGP certificate material in the repository setup.Ī sources.list entry SHOULD have the signed-by option set. The reason why we avoid ASCII-Armored files is that they can only be used by SecureApt in version 1.4 or later (which appeared in stretch). If it will be managed locally, it SHOULD be downloaded into /etc/apt/keyrings instead. If future updates to the certificate will be managed by an apt/dpkg package as recommended below, then it SHOULD be downloaded into /usr/share/keyrings using the same filename that will be provided by the package. The certificate MUST NOT be placed in /etc/apt/ or loaded by apt-key add. ![]() The certificate MUST be downloaded over a secure mechanism like HTTPS to a location only writable by root. This certificate SHOULD be signed by other keys, preferably including some that are close to the strong set, in order to leverage the OpenPGP web of trust. It should be noted that the previously recommended ad-hoc standard pool, is out of service permanently. If so, operators SHOULD choose an appropriate keyserver or keyserver pool, such as or, or implement a OpenPGP Web Key Directory. The certificate MAY also be made available on key servers. A free X509 certificate MAY be obtained from Let's Encrypt and automatically configured using the certbot package. The certificate SHOULD be served over HTTPS if possible. The file SHOULD NOT be ASCII-Armored ( gpg -export -armor) although a separate armored version MAY be available under deriv-archive-keyring.asc. A binary export ( gpg -export) of the certificate SHOULD be available at the root of the repository under the filename deriv-archive-keyring.pgp, where deriv is the a short name for the repository. Repositories MUST be signed with an OpenPGP certificate. Instructions to connect to a third-party repository. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |