mirror of
https://github.com/LCTT/TranslateProject.git
synced 2024-12-26 21:30:55 +08:00
Merge pull request #29406 from lkxed/20230517-1-Ubuntu-23-10-To-Bring-Security-Enhanced-PPAs
[手动选题][news]: 20230517.1 ⭐️ Ubuntu 23.10 To Bring Security Enhanced PPAs.md
This commit is contained in:
commit
0f27d6cd8b
@ -0,0 +1,92 @@
|
||||
[#]: subject: "Ubuntu 23.10 To Bring Security Enhanced PPAs"
|
||||
[#]: via: "https://news.itsfoss.com/ubuntu-23-10-set-to-let-you-easily-manage-ppas-while-enhancing-security/"
|
||||
[#]: author: "Ankush Das https://news.itsfoss.com/author/ankush/"
|
||||
[#]: collector: "lkxed"
|
||||
[#]: translator: " "
|
||||
[#]: reviewer: " "
|
||||
[#]: publisher: " "
|
||||
[#]: url: " "
|
||||
|
||||
Ubuntu 23.10 To Bring Security Enhanced PPAs
|
||||
======
|
||||
|
||||
Ubuntu 23.10 is changing the way PPAs are managed.
|
||||
|
||||
![ubuntu 23.10 ppa][1]
|
||||
|
||||
Ubuntu upgrades constantly enhance functionalities and add security fixes.
|
||||
|
||||
However, it is not often that you see some changes to some of the core mechanisms.
|
||||
|
||||
With Ubuntu 23.10, the PPA functioning gets better. At least, you'll see fewer warnings in the terminal.
|
||||
|
||||
What am I talking about? Let me go into detail.
|
||||
|
||||
### The GPG key issue
|
||||
|
||||
Traditionally, PPAs and other external repositories were managed through a .list file at /etc/apt/sources.list.d/, which included the list of sources. In addition, a GPG keyring was associated at /etc/apt/trusted.gpg.d
|
||||
|
||||
This was identified as a potential security issue because the GPG key is added at the system level.
|
||||
|
||||
How? Imagine that you added keys to repository A to get package AA and to repo B to get package BB. Your system will gladly accept package BB signed by the key of repo A. It cannot relate the keys to their respective packages.
|
||||
|
||||
That's a problem, right? This old mechanism is being phased out. Now the GPG key info is added to the sources.list of the external repo itself. This way, the GPG key will only accept the package from its associated repo.
|
||||
|
||||
Existing Ubuntu users probably already encountered it in with [apt-key is deprecated][2] warnings when external repositories used the old method of adding GPG key in /etc/apt/trusted.gpg.d.
|
||||
|
||||
Here's an example of the old method of [adding external repositories][3]:
|
||||
|
||||
```
|
||||
sudo apt install apt-transport-https curl
|
||||
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
|
||||
sudo sh -c 'echo "deb https://dl.yarnpkg.com/debian/ stable main" >> /etc/apt/sources.list.d/yarn.list'
|
||||
sudo apt update && sudo apt install yarn
|
||||
```
|
||||
|
||||
### PPAs will use the new GPG key mechanism
|
||||
|
||||
Now, PPAs are slightly different than adding external repositories. Here, you don't manually import the GPG key and add it to the /etc/apt/trusted.gpg.d directory.
|
||||
|
||||
```
|
||||
sudo add-apt-repository ppa:dr-akulavich/lighttable
|
||||
sudo apt-get update
|
||||
sudo apt-get install lighttable-installer
|
||||
```
|
||||
|
||||
Everything is handled by the PPA mechanism itself and the GPG key associated with a PPA is automatically added to /etc/apt/trusted.gpg.d directory **until now**. User had no role in it.
|
||||
|
||||
With Ubuntu 23.10, a new approach is being introduced.
|
||||
|
||||
The PPAs will now be added as deb822-formatted .sources files, where the keys are directly embedded into the file's Signed-By field.
|
||||
|
||||
Some benefits that you get with this method are:
|
||||
|
||||
- When you remove the repository, the associated key is also removed.
|
||||
- You get a 1:1 relationship between the PPA and its key. No security issue.
|
||||
|
||||
The mailing list where it was revealed also mentioned:
|
||||
|
||||
> The key is dedicated to the specific PPA and cannot be used for other repositories (unlike the old trusted.gpg.d, which was a global store for all sources). Other keys cannot be utilized to sign the PPA.
|
||||
|
||||
Altogether, the new PPA version will reduce the 'Key is stored in legacy trusted.gpg keyring' and 'Manage keyring files in trusted.gpg.d instead' warnings.
|
||||
|
||||
In my opinion, Ubuntu should have brought this change earlier. Better late than never. 😊
|
||||
|
||||
_What do you think about this new change to handle PPAs in Ubuntu? Let me know your thoughts on the same._
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://news.itsfoss.com/ubuntu-23-10-set-to-let-you-easily-manage-ppas-while-enhancing-security/
|
||||
|
||||
作者:[Ankush Das][a]
|
||||
选题:[lkxed][b]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: https://news.itsfoss.com/author/ankush/
|
||||
[b]: https://github.com/lkxed/
|
||||
[1]: https://news.itsfoss.com/content/images/size/w1304/2023/05/ubuntu-better-ppa-management.png
|
||||
[2]: https://itsfoss.com/apt-key-deprecated/?ref=news.itsfoss.com
|
||||
[3]: https://itsfoss.com/adding-external-repositories-ubuntu/?ref=news.itsfoss.com
|
Loading…
Reference in New Issue
Block a user