Debian ships with a lot of packages. This
allows our users to easily install software without too much effort --
just run apt-get install foo, and foo gets installed.
However, Debian does not ship with everything, and for that reason there sometimes are things that are not installable with just the Debian repositories. Examples include:
- Software that is not (yet) packaged for Debian
- A repository for software that is in Debian, but for the bleeding-edge version of that software (e.g., maintained by upstream, or maintained by the Debian packager for that software)
- Software that is not DFSG-free, and cannot be included into Debian's non-free repository due to licensing issues, but that can freely be installed by Debian users.
In order to enable and use such repositories on a Debian system, a user currently has to perform some actions that may be insecure:
- Some repositories provide a link to a repository and a key, and expect the user to perform all actions to enable that repository manually. This works, but mistakes are easy to make (especially for beginners), and therefore it is not ideal.
- Some repositories provide a script to enable the repository, which must be run as root. Such scripts are not signed when run. In other words, we expect users to run untrusted code downloaded from the Internet, when everywhere else we tell people that doing so is a bad idea.
- Some repositories provide a single .deb file that can be installed, and which enables the necessary repositories in the apt configuration. Since, in contrast to RPM files, Debian packages are not signed, this means that the configuration is not enabled securely.
While there is a tool to enable package signatures in Debian packages,
the dpkg tool does not enforce the existence of such signatures, and
therefore it is possible for an attacker to replace the (signed) .deb
file with an unsigned variant, bypassing the whole signature.
In an effort to remedy this whole situation, I looked at creating extrepo, a package that would download repository metadata from a special-purpose repository, verify the signatures placed on that metadata, and if everything matches, enable the repository by creating the necessary apt configuration files.
This should allow users to enable external repository "foo" by running
extrepo enable foo, rather than downloading a script from foo's
website and executing it as root -- or other similarly insecure options.
The extrepo package has been uploaded to Debian; and so once NEW processing has finished, will be available in Debian unstable.
I might upload it to backports too if no issues are found, but that won't be an immediate thing.
Hi Josh,
The installer thing seems like a good idea to do somewhere down the line. I can do that (have done some installer work in the past, so I know how the parts work together), but I want to focus on working out the kinks in extrepo first, before I commit to doing that.
I'm a bit more reluctant regarding the semi-personal ones. I could imagine adding configuration so you could create your own extrepo configuration server; but beyond that, not so sure. I don't want the list of repositories to be too cluttered.
At any rate, I've created two wishlist bugs on the extrepo-data repository. Feel free to follow up there.
Just filed two bugs via DBTS about 0.2 as installed in unstable. Looks pretty neat! How possible would it be to get my commercially-sponsored-but-open-source APT repo in the curated list? I'm hoping to ITP these and go through the NM process soon, but it would be nice to get them out in front of a wider audience in the meantime:
deb https://www.dsscaw.com/repos/apt/debian unstable maindeb-src https://www.dsscaw.com/repos/apt/debian unstable mainFor anyone who wants to add repositories, please open a merge request against the extrepo-data repository:
https://salsa.debian.org/extrepo-team/extrepo-data/