What is the best practice for a 3rd party repo to distribute it's GPG key ?
Ubuntu gets to distribute it's keys using the "ubuntu-keyring" package which is itself meta-validated.
The problem is for third-party repos. Most of them are using the following pattern: `curl http://
In my view the pattern is not secure because first most of these repos don't use SSL which opens the road to MITM attacks and arbitrary code execution if the client installs a package. Even if SSL is used it doesn't seem very secure ; certificates can be forged by compromised/
Therefor it seems to me that it would be best to disseminate the key's fingerprint as wide as possible to avoid a single point of failure by replacing the installation instruction with something like this: `apt-key adv --keyserver keyserver.
What do you think ?
Question information
- Language:
- English Edit question
- Status:
- Answered
- For:
- Ubuntu apt Edit question
- Assignee:
- No assignee Edit question
- Last query:
- Last reply:
Can you help with this problem?
Provide an answer of your own, or ask zimbatm for more information if necessary.