Re: https://doc.dovecot.org/installation_guide/dovecot_community_repositories/de...
The instructions need updating for two reasons:
Keep up to date with Debian releases (https://wiki.debian.org/DebianReleases), i.e. remove reference to 8.0 "Jessie" and replace with 10.0 "Buster".
The instructions presented for key handling are not inline with Debian best-practices. As per https://wiki.debian.org/DebianRepository/UseThirdParty: "The key MUST be downloaded over a secure mechanism like HTTPS to a location only writable by root, which SHOULD be /usr/share/keyrings. The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add. A sources.list entry SHOULD have the signed-by option set. The signed-by entry MUST point to a file, and not a fingerprint."
On 8/5/21 8:42 AM, Laura Smith wrote:
Re: https://doc.dovecot.org/installation_guide/dovecot_community_repositories/de...
The instructions need updating for two reasons:
- Keep up to date with Debian releases (https://wiki.debian.org/DebianReleases), i.e. remove reference to 8.0 "Jessie" and replace with 10.0 "Buster".
To "replace", I guess it should me added instruction for others versions.
Soon will be released bullseye, so must it be replaced again?
To add instruction for other version someone need to test and document.
- The instructions presented for key handling are not inline with Debian best-practices. As per https://wiki.debian.org/DebianRepository/UseThirdParty: "The key MUST be downloaded over a secure mechanism like HTTPS to a location only writable by root, which SHOULD be /usr/share/keyrings. The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add. A sources.list entry SHOULD have the signed-by option set. The signed-by entry MUST point to a file, and not a fingerprint."
Not (exactly) needed secure connection. Debian will check the package using gpg,
Neither official repositories enforce secure connection.
As you said "The key MUST be downloaded over secure connection"
the key, not the package, the package must be signed by the key.
-- Lucas Castro
On Thursday, August 5th, 2021 at 4:06 PM, Lucas Castro lucas@gnuabordo.com.br wrote:
On 8/5/21 8:42 AM, Laura Smith wrote:
Re: https://doc.dovecot.org/installation_guide/dovecot_community_repositories/de...
The instructions need updating for two reasons:
- Keep up to date with Debian releases (https://wiki.debian.org/DebianReleases), i.e. remove reference to 8.0 "Jessie" and replace with 10.0 "Buster".
To "replace", I guess it should me added instruction for others versions.
There is very little point supporting EOL systems. As per the table in the link I provided, 8.0 Jessie is EOL unless you are paying money to Debian for ELTS subscription.
Not (exactly) needed secure connection. Debian will check the package
using gpg,
Neither official repositories enforce secure connection.
As you said "The key MUST be downloaded over secure connection"
the key, not the package, the package must be signed by the key.
I am not sure what the point you are trying to make here is ?
There is no argument that what I am asking for MUST be done.
The Debian link I referred to explains in much detaily WHY it is important.
Please, reply to list only!
On 8/5/21 12:20 PM, Laura Smith wrote:
On Thursday, August 5th, 2021 at 4:06 PM, Lucas Castro lucas@gnuabordo.com.br wrote:
On 8/5/21 8:42 AM, Laura Smith wrote:
Re: https://doc.dovecot.org/installation_guide/dovecot_community_repositories/de...
The instructions need updating for two reasons:
- Keep up to date with Debian releases (https://wiki.debian.org/DebianReleases), i.e. remove reference to 8.0 "Jessie" and replace with 10.0 "Buster". To "replace", I guess it should me added instruction for others versions. There is very little point supporting EOL systems. As per the table in the link I provided, 8.0 Jessie is EOL unless you are paying money to Debian for ELTS subscription.
I really don't know where you read about payment for ELTS subscription.
Not (exactly) needed secure connection. Debian will check the package
using gpg,
Neither official repositories enforce secure connection.
As you said "The key MUST be downloaded over secure connection"
the key, not the package, the package must be signed by the key.
I am not sure what the point you are trying to make here is ?
There is no argument that what I am asking for MUST be done.
The Debian link I referred to explains in much detaily WHY it is important.
The point is package is checked by gpg signature.
The link referredĀ "Serving the repository under HTTPS is OPTIONAL"
The package is signed using gpg key, The key must be download over secure connection, not the package.
-- Lucas Castro
Also FYI further supporting detail:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861695 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877012
participants (2)
-
Laura Smith
-
Lucas Castro