Control: reassign wiki.x2go.org Control: retitle -1 Update GPG key bootstrapping instructions for Debian Control: close -1
- On 8/24/19 7:06 PM, Mihai Moldovan wrote:
Control: reassign -1 packages.x2go.org
N: An update from such a repository cannot be done in a secure way, so it is disabled by default.
The x2go-keyring package is available for Debian buster, includes the required key file and should work just fine.
However, newer apt versions will disallow downloading from an untrusted repository.
In order to actually install the keyring package, try running something like: sudo apt-get --allow-unauthenticated install x2go-keyring
Afterwards, sudo apt update should not return an error again. Do not use the --allow-unauthenticated flag without understanding its implications.
That wasn't correct - at least not completely. --allow-unauthenticated should work for package installations, but not for downloading repository metadata.
To allow apt to work with unauthenticated repository metadata, users would need to use something like: apt-get update --allow-insecure-repositories
This said: this is totally risky, now and later. Installing packages from an unauthenticated repository doesn't give apt any chance to check the origin. A successful Man-in-the-Middle attack is very likely in such a scenario. Worse, even after the initial bootstrap, all subsequent operations and packages from such a repository could still be malicious.
I've updated https://wiki.x2go.org/doku.php/wiki:repositories:debian et al with this information, big fat warning signs and explanations.
**Users should always bootstrap with the currently valid GPG key and then install the x2go-keyring package from the validated X2Go repository location!**
Closing up here.
Mihai