Pull request replacing apt-key with curl/gpg

Just as a heads up for anyone else who like me might be wondering about the recent pull request #2299:

Apparently Debian/Ubuntu are deprecating apt-key, see discussion at:

Quote from the article:

The reason for this change is that when adding an OpenPGP key that’s used to sign an APT repository to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d, the key is unconditionally trusted by APT on all other repositories configured on the system that don’t have a signed-by (see below) option, even the official Debian / Ubuntu repositories. As a result, any unofficial APT repository which has its signing key added to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d can replace any package on the system. So this change was made for security reasons (your security).

My thanks to the devs for keeping on top of things!

The main reason:

There seems to be an error in the upgrade script install/upgrade/versions/1.5.3.sh where it constructs the MariaDB apt repo URL (line 71)

Currently it is:

https ://mirror.mva-n.net/mariadb/repo//$VERSION $codename main

According to their download page it should be like:

https ://mirror.mva-n.net/mariadb/repo/10.5/debian bullseye main

so line 71 should be:

https ://mirror.mva-n.net/mariadb//repo/$mariadb_v/$VERSION $codename main

Thanks changed it.

Actually it seems that the correct syntax should be:

https ://mirror.mva-n.net/mariadb/repo/$mariadb_v/$os $codename main

Note: Currently there is an inconsistency between the install and upgrade scripts in how they derive the variables $VERSION and $os …

VERSION=“$(lsb_release -s -r)”
VERSION=‘debian’

For consistency reasons $VERSION should be the same in all 3 scripts (install/hst-install-debian.sh install/hst-install-ubuntu.sh and install/upgrade/versions/1.5.3.sh)

Since the “lsb-release” package isn’t installed by default on a minimal Debian, perhaps the best way to ensure consistency among the HestiaCP install/upgrade scripts would be for all 3 scripts to parse /etc/os-release to populate the $os $VERSION $codename $release etc the info.

$os = ID
$release = VERSION_ID
$VERSION = VERSION_ID
$codename = VERSION_CODENAME

The /etc/os-release seems to be the universally supported option (for all Linux flavor from Debian/Ubuntu to CentOS/Fedora etc):
https://www.freedesktop.org/software/systemd/man/os-release.html

lsb_release is a dependency that we have added. So it should always be available…

I meant when you download the HestiaCP install script for the first time on your freshly provisioned Debian VPS, the lsb-release pkg might not be there.

I assume that’s why the install script on Debian has hardcoded values, whereas the one for Ubuntu uses lsb_release.

But for the upgrade script, you can use lsb_release, sure …

No that why we use:

Sure, all I’m saying is HestiaCP’s install/upgrade scripts are currently using 4 different ways (hardcoded strings, parsing /etc/debian-version, /etc/os-release and lsb-release) to derive some simple info like OS type, version and codename.

I just think it would be more consistent to just use the /etc/os-release file (which is offered by all current Linux OSes).

It’s a minor issue anyway …

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.