wslutilities/documentation

(wiki) Debian/Kali installation instructions go against Debian third-party repo recommendations

slycordinator opened this issue · 2 comments

slycordinator commented

Windows Version

Windows 10

Windows Build Number

19045

WSL Version

Not Applicable

Distro Version

Debian 12 (bookworm)

WSL Utilities Version

N/A

Describe the bug

On the installation wiki, at https://wslutiliti.es/wslu/install.html
Under Debian and Kali, the directions go against the recommendations from Debian for using third party repositories ( https://wiki.debian.org/DebianRepository/UseThirdParty )

  1. The directions have the user place the file in /etc/apt/trusted.gpg.d, when Debian strongly recommends not to
    From Debian

The certificate MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add.

This is because /etc/apt/trusted.gpg.d is the global trust anchor for all of apt and this would cause all repositories to accept this third-party certificate, including those that don't have "signed-by"

  1. The directions have them directly use the ASCII-Armored certificate, when they recommend dearmoring it first

users MAY be told to run a command to download the certificate, but because chances are the certificate being distributed is ASCII-Armored, it is best to unconditionally dearmor them

  1. Entries placed in /etc/apt/sources.list

Entries MUST be added in the /etc/apt/sources.list.d directory using a shortened repository name (e.g. deriv.list)

Steps to Reproduce

  1. Read directions for installation on Debian/Kali
  2. Compare with recommendations from Debian

Expected behavior

  1. To place the key in /usr/share/keyrings as recommended and reference the key file using "signed-by" in the source line
  2. To store/use it locally dearmored
  3. Store the entry in its own file inside /etc/apt/sources.list.d

Additional context

Here is a potential way to fix:

  1. Change
    wget -O - https://pkg.wslutiliti.es/public.key | sudo tee -a /etc/apt/trusted.gpg.d/wslu.asc
    to
    wget -O - https://pkg.wslutiliti.es/public.key | sudo gpg -o /usr/share/keyrings/wslu-archive-keyring.pgp --dearmor

  2. Change lines like:
    echo "deb https://pkg.wslutiliti.es/debian buster main" | sudo tee -a /etc/apt/sources.list
    to
    echo "deb [signed-by=/usr/share/keyrings/wslu-archive-keyring.pgp] https://pkg.wslutiliti.es/debian buster main" | sudo tee -a /etc/apt/sources.list.d/wslu.list

Code of Conduct

  • I agree to follow this project's Code of Conduct
patrick330602 commented

Thanks for the feeadback! However, this is related to documentation, so i will transfer the issue to there.

patrick330602 commented

Updated.