[X2Go-Commits] [[X2Go Wiki]] page changed: wiki:repositories:debian

wiki-admin at x2go.org wiki-admin at x2go.org
Thu Sep 12 18:44:07 CEST 2019 

A page in your DokuWiki was added or changed. Here are the details:

Date        : 2019/09/12 16:44
Browser     : Mozilla/5.0 (X11; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
IP-Address  : 178.162.222.163
Hostname    : 178.162.222.163.adsl.inet-telecom.org
Old Revision: https://wiki.x2go.org/doku.php/wiki:repositories:debian?rev=1568302263
New Revision: https://wiki.x2go.org/doku.php/wiki:repositories:debian
Edit Summary: Rework page, including a workaround for cases where bootstrapping the repository key is not possible.
User        : ionic

@@ -7,11 +7,13 @@
    * **Deprecated Debian releases**: please refer to [[wiki:repositories:archives:debian|Instructions for Archived Debian X2Go Packages]] instead.
  
  ===== Adding This Repository To Your Package System =====
  
- ==== Adding the Repository GPG Keys ====
+ ==== Bootstrapping the Repository GPG Keys ====
  
- Before starting to edit your system configuration, you'll need to add the needed GPG keys of the repository.
Please switch to a user which has administrator privileges on your system in your preferred command line client:
+ <note important>X2Go Packages for Debian and the repository metadata are signed with a GPG key to counter Man-in-the-Middle attacks. If you install X2Go components for the first time on a machine, you will have to bootstrap the repository and package signing key first in order for apt to validate the downloaded repository metadata and use it.</note>
+ 
+ Please switch to a user which has administrator privileges on your system in your preferred command line client:
  
  <code bash>
  su -
  </code>
@@ -20,18 +22,19 @@
  sudo -s
  </code>
  
  
- The following commands will ensure that your system will be able to work with the repository archive key. We have also provided our archive key and the X2Go maintainers's keys in a keyring package called ''x2go-keyring'' (see below). If you choose to install that package you can skip these first steps...
- 
+ The following
command will ensure that your system will be able to work with the repository archive key.
  <code bash>
  $ apt-key adv --recv-keys --keyserver keys.gnupg.net E1F958385BFE2B6E
  </code>
  
  ==== Adding the Actual Repository ====
  
  Please add the file ''x2go.list'' to the folder ''/etc/apt/sources.list.d/''.
  This can be done by using your preferred editor.
+ 
+ <note>If you have not gotten a directory named ''/etc/apt/sources.list.d/'' add the lines to ''/etc/apt/sources.list''.</note>
  
  <code bash>
  $ editor /etc/apt/sources.list.d/x2go.list
  </code>
@@ -54,19 +57,32 @@
  # X2Go Repository (sources of nightly builds)
  #deb-src http://packages.x2go.org/debian stretch extras heuler
  </file>
  
- **Edit this new data** and make sure to uncomment desired components and comment non-desired components. Only one group may be active at a given time. Switching between components requires uninstalling all X2Go packages first!
+ **Edit this new data** and make sure to uncomment
desired components and comment non-desired components. Only one group may be active at a given time.
  
- **Note:** If you have not gotten a directory named ''/etc/apt/sources.list.d/'' add the lines to ''/etc/apt/sources.list''.
+ <note warning>Switching between components usually requires uninstalling all X2Go packages first! The only upgrade path that is considered somewhat safe is main (release packages) to heuler (nightly packages), but there are no guarantees regarding the stability or usefulness of nightly packages.</note>
  
  ==== Synchronize the Newly Added Repository's Metadata ====
  
  Please perform an update of your APT package database:
  
  <code bash>
  $ apt-get update
  </code>
+ 
+ <note important>If you were unable to bootstrap the repository GPG key previously, apt-get will fail to validate the signatures and discard the downloaded repository metadata.
+ \\ \\ 
+ **Not being able to verify signatures means that any content downloaded from the remote location
could be injected/offered by a malicious third party and need not come from the X2Go Project. This includes repository metadata and any packages downloaded from unauthenticated repositories. Installing the x2go-keyring package from an unauthenticated repository bears the chance that this is not our package but a malicious third-party one which will not contain our public keys. This holds for all packages installed from this repository, now and later.**
+ \\ \\ 
+ You can bypass apt's internal checks **if you understand the implications** and are ready to take the risk by **once** using:
+ \\ \\ 
+ <code bash>
+ $ apt-get update --allow-insecure-repositories
+ </code>
+ 
+ Otherwise, please try to first fetch the key again as outlined in the bootstrapping instructions.
+ </note>
  
  After the update you should be able to access the X2Go packages via the apt command family. As a first action you should install our ''x2go-keyring'' package and refresh the apt cache:
  
  <code
bash>


-- 
This mail was generated by DokuWiki at
https://wiki.x2go.org/

More information about the x2go-commits mailing list