Merge pull request #29407 from wxy/20230517.1-⭐️-Ubuntu-23.10-To-Bring-Security-Enhanced-PPAs

ATRP:published/20230517.1 ⭐️ Ubuntu 23.10 To Bring Security Enhanced PPAs.md

published/20230517.1 ⭐️ Ubuntu 23.10 To Bring Security Enhanced PPAs.md

@@ -0,0 +1,90 @@
+[#]: subject: "Ubuntu 23.10 To Bring Security Enhanced PPAs"
+[#]: via: "https://news.itsfoss.com/ubuntu-23-10-set-to-let-you-easily-manage-ppas-while-enhancing-security/"
+[#]: author: "Ankush Das https://news.itsfoss.com/author/ankush/"
+[#]: collector: "lkxed"
+[#]: translator: "ChatGPT"
+[#]: reviewer: "wxy"
+[#]: publisher: "wxy"
+[#]: url: "https://linux.cn/article-15823-1.html"
+
+Ubuntu 23.10 将引入安全增强的 PPA
+======
+
+> Ubuntu 23.10 正在修改 PPA 的管理方式。
+
+![ubuntu 23.10 ppa][1]
+
+Ubuntu 的升级不断地增强功能并添加安全修复程序。但是，很少见到一些核心机制的更改。
+
+在 Ubuntu 23.10 中，PPA 的功能得到了改进。至少，你在终端中看到警告会更少。
+
+这是什么意思呢？让我详细说明一下。
+
+### GPG 密钥问题
+
+传统上，PPA 和其他外部存储库是通过 `/etc/apt/sources.list.d/` 中的 `.list` 来源列表文件进行管理的。此外，还有一个关联的 GPG 密钥环被放在 `/etc/apt/trusted.gpg.d` 中。
+
+这被认为是一个潜在的安全问题，因为 GPG 密钥是在系统级别上添加的。
+
+怎么回事？想象一下，你为存储库 A 添加密钥以获取包 AA，并从存储库 B 获取包 BB。你的系统将很乐意接受用存储库 A 的密钥签名的 BB 包。因为它无法将密钥与其各自的包关联起来。
+
+这是个问题，对吧？这种旧机制正在逐步淘汰。现在，GPG 密钥信息将添加到外部存储库本身的 `sources.list` 中。这样，GPG 密钥将只接受其对应存储库的软件包。
+
+现有的 Ubuntu 用户可能已经遇到了使用 `/etc/apt/trusted.gpg.d` 中的旧方法添加 GPG 密钥时出现的 `apt-key is deprecated` 警告。
+
+以下是旧的 [添加外部存储库][3] 的方法的示例：
+
+```
+sudo apt install apt-transport-https curl
+curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
+sudo sh -c 'echo "deb https://dl.yarnpkg.com/debian/ stable main" >> /etc/apt/sources.list.d/yarn.list'
+sudo apt update && sudo apt install yarn
+```
+
+### PPA 将使用新的 GPG 密钥机制
+
+现在，PPA 与添加外部存储库略有不同。在这里，你不需要手动导入 GPG 密钥并将其添加到 `/etc/apt/trusted.gpg.d` 目录中。
+
+```
+sudo add-apt-repository ppa:dr-akulavich/lighttable
+sudo apt-get update
+sudo apt-get install lighttable-installer
+```
+
+**直到现在**，所有事情都由 PPA 机制自己处理，与 PPA 相关联的 GPG 密钥会自动添加到 `/etc/apt/trusted.gpg.d` 目录中。用户在这里不需要做任何事情。
+
+在 Ubuntu 23.10 中，引入了一种新的方法。
+
+现在，PPA 将作为 deb822 格式的 `.sources` 文件添加，其中密钥直接嵌入文件的 `Signed-By` 字段中。
+
+使用这种方法，可以获得以下一些优点：
+
+- 当删除存储库时，相关的密钥也会被删除。
+- PPA 与其密钥之间一一对应。没有安全问题。
+
+在揭示这一消息的邮件列表中也提到：
+
+> 该密钥专门用于特定的 PPA，无法用于其他存储库（与旧的存放所有存储库的源列表的 `trusted.gpg.d` 不同）。其他密钥不能用于签署该 PPA。
+
+总的来说，新的 PPA 版本将减少 “Key is stored in legacy trusted.gpg keyring” 和 “Manage keyring files in trusted.gpg.d instead” 警告。
+
+我认为 Ubuntu 应该早些时候就引入这个改变，但迟到总比没有好。 😊
+
+你对 Ubuntu 处理 PPA 的这个新改变有什么想法？请让我知道你的想法。
+
+--------------------------------------------------------------------------------
+
+via: https://news.itsfoss.com/ubuntu-23-10-set-to-let-you-easily-manage-ppas-while-enhancing-security/
+
+作者：[Ankush Das][a]
+选题：[lkxed][b]
+译者：ChatGPT
+校对：[wxy](https://github.com/wxy)
+
+本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
+
+[a]: https://news.itsfoss.com/author/ankush/
+[b]: https://github.com/lkxed/
+[1]: https://news.itsfoss.com/content/images/size/w1304/2023/05/ubuntu-better-ppa-management.png
+[2]: https://itsfoss.com/apt-key-deprecated/?ref=news.itsfoss.com
+[3]: https://itsfoss.com/adding-external-repositories-ubuntu/?ref=news.itsfoss.com

sources/news/20230517.1 ⭐️ Ubuntu 23.10 To Bring Security Enhanced PPAs.md

@@ -1,92 +0,0 @@
-[#]: subject: "Ubuntu 23.10 To Bring Security Enhanced PPAs"
-[#]: via: "https://news.itsfoss.com/ubuntu-23-10-set-to-let-you-easily-manage-ppas-while-enhancing-security/"
-[#]: author: "Ankush Das https://news.itsfoss.com/author/ankush/"
-[#]: collector: "lkxed"
-[#]: translator: " "
-[#]: reviewer: " "
-[#]: publisher: " "
-[#]: url: " "
-
-Ubuntu 23.10 To Bring Security Enhanced PPAs
-======
-
-Ubuntu 23.10 is changing the way PPAs are managed.
-
-![ubuntu 23.10 ppa][1]
-
-Ubuntu upgrades constantly enhance functionalities and add security fixes.
-
-However, it is not often that you see some changes to some of the core mechanisms.
-
-With Ubuntu 23.10, the PPA functioning gets better. At least, you'll see fewer warnings in the terminal.
-
-What am I talking about? Let me go into detail.
-
-### The GPG key issue
-
-Traditionally, PPAs and other external repositories were managed through a .list file at /etc/apt/sources.list.d/, which included the list of sources. In addition, a GPG keyring was associated at /etc/apt/trusted.gpg.d
-
-This was identified as a potential security issue because the GPG key is added at the system level.
-
-How? Imagine that you added keys to repository A to get package AA and to repo B to get package BB. Your system will gladly accept package BB signed by the key of repo A. It cannot relate the keys to their respective packages.
-
-That's a problem, right? This old mechanism is being phased out. Now the GPG key info is added to the sources.list of the external repo itself. This way, the GPG key will only accept the package from its associated repo.
-
-Existing Ubuntu users probably already encountered it in with [apt-key is deprecated][2] warnings when external repositories used the old method of adding GPG key in /etc/apt/trusted.gpg.d.
-
-Here's an example of the old method of [adding external repositories][3]:
-
-```
-sudo apt install apt-transport-https curl
-curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
-sudo sh -c 'echo "deb https://dl.yarnpkg.com/debian/ stable main" >> /etc/apt/sources.list.d/yarn.list'
-sudo apt update && sudo apt install yarn
-```
-
-### PPAs will use the new GPG key mechanism
-
-Now, PPAs are slightly different than adding external repositories. Here, you don't manually import the GPG key and add it to the /etc/apt/trusted.gpg.d directory.
-
-```
-sudo add-apt-repository ppa:dr-akulavich/lighttable
-sudo apt-get update
-sudo apt-get install lighttable-installer
-```
-
-Everything is handled by the PPA mechanism itself and the GPG key associated with a PPA is automatically added to /etc/apt/trusted.gpg.d directory **until now**. User had no role in it.
-
-With Ubuntu 23.10, a new approach is being introduced.
-
-The PPAs will now be added as deb822-formatted .sources files, where the keys are directly embedded into the file's Signed-By field.
-
-Some benefits that you get with this method are:
-
-- When you remove the repository, the associated key is also removed.
-- You get a 1:1 relationship between the PPA and its key. No security issue.
-
-The mailing list where it was revealed also mentioned:
-
-> The key is dedicated to the specific PPA and cannot be used for other repositories (unlike the old trusted.gpg.d, which was a global store for all sources). Other keys cannot be utilized to sign the PPA.
-
-Altogether, the new PPA version will reduce the 'Key is stored in legacy trusted.gpg keyring' and 'Manage keyring files in trusted.gpg.d instead' warnings.
-
-In my opinion, Ubuntu should have brought this change earlier. Better late than never. 😊
-
-_What do you think about this new change to handle PPAs in Ubuntu? Let me know your thoughts on the same._
-
---------------------------------------------------------------------------------
-
-via: https://news.itsfoss.com/ubuntu-23-10-set-to-let-you-easily-manage-ppas-while-enhancing-security/
-
-作者：[Ankush Das][a]
-选题：[lkxed][b]
-译者：[译者ID](https://github.com/译者ID)
-校对：[校对者ID](https://github.com/校对者ID)
-
-本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
-
-[a]: https://news.itsfoss.com/author/ankush/
-[b]: https://github.com/lkxed/
-[1]: https://news.itsfoss.com/content/images/size/w1304/2023/05/ubuntu-better-ppa-management.png
-[2]: https://itsfoss.com/apt-key-deprecated/?ref=news.itsfoss.com
-[3]: https://itsfoss.com/adding-external-repositories-ubuntu/?ref=news.itsfoss.com