Control: reassign wiki.x2go.org
Control: retitle -1 Update GPG key bootstrapping instructions for Debian
Control: close -1


* On 8/24/19 7:06 PM, Mihai Moldovan wrote:
> Control: reassign -1 packages.x2go.org
> 
> 
>> N: An update from such a repository cannot be done in a secure way, so
>> it is disabled by default.
> 
> The x2go-keyring package is available for Debian buster, includes the required
> key file and should work just fine.
> 
> However, newer apt versions will disallow downloading from an untrusted repository.
> 
> In order to actually install the keyring package, try running something like:
> sudo apt-get --allow-unauthenticated install x2go-keyring
> 
> Afterwards, sudo apt update should not return an error again. Do not use the
> --allow-unauthenticated flag without understanding its implications.

That wasn't correct - at least not completely. --allow-unauthenticated should
work for package installations, but not for downloading repository metadata.

To allow apt to work with unauthenticated repository metadata, users would need
to use something like:
apt-get update --allow-insecure-repositories

This said: this is totally risky, now and later. Installing packages from an
unauthenticated repository doesn't give apt any chance to check the origin. A
successful Man-in-the-Middle attack is very likely in such a scenario. Worse,
even after the initial bootstrap, all subsequent operations and packages from
such a repository could still be malicious.


I've updated https://wiki.x2go.org/doku.php/wiki:repositories:debian et al with
this information, big fat warning signs and explanations.

**Users should always bootstrap with the currently valid GPG key and then
install the x2go-keyring package from the validated X2Go repository location!**


Closing up here.



Mihai