Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security improvements for debian repo instructions #981

Open
unDocUMeantIt opened this issue Mar 8, 2021 · 8 comments · May be fixed by #1189
Open

security improvements for debian repo instructions #981

unDocUMeantIt opened this issue Mar 8, 2021 · 8 comments · May be fixed by #1189
Assignees
@thekushalgaikwad
Labels
Feature good first issue 👶 Easy task, perfect if you don't have much experience with the project help welcome 💕 PRs are welcome! Just comment in the issue saying you are working on it

Comments

@unDocUMeantIt
Copy link

i’d like to suggest some security improvements with regards to the auto-generated instructions for configuring debian package repositories:

  • instead of storing keys in /etc/apt/trusted.gpg.d/, they should be saved to /usr/share/keyrings/
  • for apt to use the correct key, you should replace deb http://download.opensuse.org... with deb [signed-by=/usr/share/keyrings/<keyring.gpg>] https://download.opensuse.org... (here, replace <keyring.gpg> with the name of the keyring file; use HTTPS)

the old and now officially deprecated way of having keyrings for third party repos in /etc/apt/trusted.gpg.d/ is a potential security issue: it doesn’t specify which key belongs to which repository, so all package lists signed by any of those keys are accepted as trustworthy.

here's a full practical example for how these instructions should rather look like:

echo 'deb [signed-by=/usr/share/keyrings/home_sfztools_sfizz.gpg] https://download.opensuse.org/repositories/home:/sfztools:/sfizz/Debian_10/ /' | sudo tee /etc/apt/sources.list.d/home:sfztools:sfizz.list
curl -fsSL https://download.opensuse.org/repositories/home:sfztools:sfizz/Debian_10/Release.key | gpg --dearmor | sudo tee /usr/share/keyrings/home_sfztools_sfizz.gpg > /dev/null
sudo apt update
sudo apt install sfizz
@agraul agraul added Feature good first issue 👶 Easy task, perfect if you don't have much experience with the project help welcome 💕 PRs are welcome! Just comment in the issue saying you are working on it labels Mar 18, 2021
@thekushalgaikwad
Copy link

I am interested. How should I do it?

@agraul
Copy link
Member

agraul commented Mar 19, 2021

Great @kushal140 !

The download instructions are defined in app/views/download/package.erb.

If you don't already have a development environment set up, take a look at https://github.com/openSUSE/software-o-o#running-the-application-locally. If those instructions are missing something, please open a new issue.

@thekushalgaikwad
Copy link

How to download iso fle?
I read documentation , it was about installing opensuse. I searched on internet but nothing found. we should prepare a proper documentation so that more people will find it easy.
I strongly to change the interface of download page .I think kali linux has simple, clean and easy to understand download page .
It is very important to display the size of image file .Hope that ,this will be useful.
https://www.kali.org/downloads/

Due to lack of download instructions , I was unable to download Opensuse image file and set up enviornment. So , unfortunately I cannot solve the issue #981.

@agraul
Copy link
Member

agraul commented Mar 19, 2021

It would be nice if you could give the feedback on get.opensuse.org in the correct repository, e.g. in the issue you have opened (which we've transfered to openSUSE/get-o-o).

Due to lack of download instructions , I was unable to download Opensuse image file and set up enviornment. So , unfortunately I cannot solve the issue #981.

Does that mean you don't want to try fixing the issue since you could not download the iso? There is no dependency on openSUSE distros, you could use any Rails environment you want.

I don't know why the ISO download button is not working for you. This is the URL it (normally) leads to: https://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-DVD-x86_64-Current.iso

@hellcp
Copy link
Member

hellcp commented Mar 19, 2021

I don't know why the ISO download button is not working for you. This is the URL it (normally) leads to: https://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-DVD-x86_64-Current.iso

openSUSE/get-o-o#35
That also means that the link you posted will also not work in chrome/ium btw

@agraul
Copy link
Member

agraul commented Mar 19, 2021

ah, good to know

@thekushalgaikwad
Copy link

After the information provided as above, I tried opening the file with torrent downloader , it worked.
The above information should be included in documentation. Thanks for help.

@graue70
Copy link

graue70 commented Dec 8, 2023

See #1189.

@stdedos stdedos linked a pull request Dec 8, 2023 that will close this issue
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thekushalgaikwad thekushalgaikwad

Labels
Feature good first issue 👶 Easy task, perfect if you don't have much experience with the project help welcome 💕 PRs are welcome! Just comment in the issue saying you are working on it
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improve the Debian/Ubuntu instructions for adding the OBS repository stdedos/software-o-o
5 participants
@unDocUMeantIt @agraul @graue70 @hellcp @thekushalgaikwad