Page MenuHomePhabricator

Third Party Repo Lists
Open, WishlistPublic

Description

I am opening this as a different ticket so it doesn't get buried.

I propose including a few repo lists and keys to ship with Whonix,disabled by default of course. Users should enable them only when choosing to install/trust the software.

Advantages include simpler installation of select third part packages and preventing the user from shooting themselves in the foot when adding a repo or doing key verification which can result int them being tricked and infected.

Details

Impact
Normal

Event Timeline

HulaHoop created this task.Jun 7 2015, 2:26 AM
HulaHoop raised the priority of this task from to Needs Triage.
HulaHoop updated the task description. (Show Details)
HulaHoop set Impact to Needs Triage.
HulaHoop added a subscriber: HulaHoop.
Patrick triaged this task as Wishlist priority.Jun 7 2015, 6:03 AM
Patrick changed Impact from Needs Triage to Normal.

This is a general usability issue of linux distributions such as Debian. There is no easy and secure way to enable third party repositories. Nowhere where third parties can register. Ideally stuff like TPO, Tails, Whonix signing key would be available from a package that is shipped in official Debian repository.

$someone would have to create a package third-party-repositories (or so) that contains:

  • the /etc/apt/sources.list.d/ snippets
  • the signing keys

For:

  • yacy
  • i2p
  • torproject
  • Debian multimedia
  • etc.

Thereby becoming somewhat a certificate authority. Someone who verifies and somewhat vouches for keys of others.

As a related task, apt-add-repository could use a feature,

  • to create the /etc/apt/sources.list.d/ snippet
  • drop the signing key into /etc/apt/trusted.gpg.d/ (mixing into /etc/apt/trustdb.gpg is non-ideal)

And maybe scripts and/or a graphical user interface to enable/disable those.

Certainly a lot room to increase usability. And quite some development and maintenance effort. This is like a whole project idea.