1. 7
  1.  

  2. 4

    I’ve done a lot of tech and OSS work over the last 20 years. Linux packaging is by far the worst cesspit of random blog posts and undocumented, user-hostile tooling. The insistence that http is sufficient for security due to the use of gpg is one example.

    https://blog.packagecloud.io/eng/2018/02/21/attacks-against-secure-apt-repositories/

    1. 1

      I think this post is unfair. The title makes one think that some large problem with major Linux distributions has been discovered, and then it turns out it’s all about third-party repositories. If you follow the standard advice to not use third party repositories at all, then all of this post immediately is void. As long as you stick to your Linux distribution’s repositories (which you should), the PGP problems highlighted in this post do not appear.

      Even more, the problems outlined to not relate to the package management system itself, but only to the PGP keyserver infrastructure. Again, if you do not use third-party repositories, you never interact with the PGP keyserver infrastructure.

      1. 4

        Until every distro packages all versions of all software I will ever need, I will need to install software from third parties. Until all that software is packaged up as a snap package or flatpak (which I think is impossible for some kinds of software, such as beta versions of proprietary nvidia drivers), third-party repositories are the best option available in most distros. You don’t get to just say “you’re using it wrong” when the system used “correctly” doesn’t do what users need it to do.

      2. 1

        Has there been any progress with regards to fixing the flooding issue? Such a simple way to break the whole system…

        1. 2

          Other than GPG not accepting keys from keyservers, not really.

          https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html

            * gpg: Ignore all key-signatures received from keyservers.  This
              change is required to mitigate a DoS due to keys flooded with
              faked key-signatures.  The old behaviour can be achieved by adding
              keyserver-options no-self-sigs-only,no-import-clean
              to your gpg.conf.  [#4607]