On 8/5/21 8:42 AM, Laura Smith wrote:> Re:
https://doc.dovecot.org/installation_guide/dovecot_community_repositories/debian_packages/
>
> The instructions need updating for two reasons:
>
> 1) Keep up to date with Debian releases
(https://wiki.debian.org/DebianReleases), i.e. remove reference to 8.0
"Jessie" and replace with 10.0 "Buster".
To "replace", I guess it should me added instruction for others
versions.
Soon will be released bullseye, so must it be replaced again?
To add instruction for other version someone need to test and document.
>
> 2) The instructions presented for key handling are not inline with Debian
best-practices.
> As per https://wiki.debian.org/DebianRepository/UseThirdParty: "The
key MUST be downloaded over a secure mechanism like HTTPS to a location only
writable by root, which SHOULD be /usr/share/keyrings. The key MUST NOT be
placed in /etc/apt/trusted.gpg.d or loaded by apt-key add. A sources.list entry
SHOULD have the signed-by option set. The signed-by entry MUST point to a file,
and not a fingerprint."
Not (exactly) needed secure connection. Debian will check the package
using gpg,
Neither official repositories enforce secure connection.
As you said "The key MUST be downloaded over secure connection"
the key, not the package, the package must be signed by the key.
--
Lucas Castro