Hi Timo, On Sun, Nov 03, 2019 at 07:33:10PM +0100, Timo Weingärtner wrote: > Hallo Wouter Verhelst, > > 03.11.19 18:35 Wouter Verhelst: > > The software from the package downloads the metadata index and validates > > the GPG signature; and if everything checks out, adds configuration to > > /etc/apt/sources.list.d and /etc/apt/trusted.gpg.d to enable the > > repository. > > Please don't use /etc/apt/trusted* for 3rd-party repositories. If a key is in > there its owner can impersonate the official debian repos for default > setups.¹ > Please use some other path (such as /var/lib/extrepo/keyrings/) for the > keyrings and connect it with "Signed-By:" [1]. > > I just changed my /etc/apt/sources.list.d/debian.sources to have: > Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Thanks. I agree that makes sense; I've updated the code as such. -- To the thief who stole my anti-depressants: I hope you're happy -- seen somewhere on the Internet on a photo of a billboard
