You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To my understanding the packages provided for Debian based operating systems are unsigned.
The installer provided here works around this by adding the [trusted=yes] parameter to the repository configuration.
From the docs of sources.list:
Trusted (trusted) is a tri-state value which defaults to APT deciding if a source is considered trusted or if warnings should be raised before e.g. packages are installed from this source. This option can be used to override that decision. The value yes tells APT always to consider this source as trusted, even if it doesn't pass authentication checks. It disables parts of apt-secure(8), and should therefore only be used in a local and trusted context (if at all) as otherwise security is breached. The value no does the opposite, causing the source to be handled as untrusted even if the authentication checks passed successfully. The default value can't be set explicitly.
I would expect a security centered project to sign the release packages instead of disabling these validation features.
I'm curious why this solution is chosen instead. Do you think the repositories should be signed? Are there any future plans for that?
The text was updated successfully, but these errors were encountered:
To my understanding the packages provided for Debian based operating systems are unsigned.
The installer provided here works around this by adding the
[trusted=yes]
parameter to the repository configuration.From the docs of
sources.list
:I would expect a security centered project to sign the release packages instead of disabling these validation features.
I'm curious why this solution is chosen instead. Do you think the repositories should be signed? Are there any future plans for that?
The text was updated successfully, but these errors were encountered: