Pull request replacing apt-key with curl/gpg

Just as a heads up for anyone else who like me might be wondering about the recent pull request #2299:

Apparently Debian/Ubuntu are deprecating apt-key, see discussion at:

Quote from the article:

The reason for this change is that when adding an OpenPGP key that’s used to sign an APT repository to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d, the key is unconditionally trusted by APT on all other repositories configured on the system that don’t have a signed-by (see below) option, even the official Debian / Ubuntu repositories. As a result, any unofficial APT repository which has its signing key added to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d can replace any package on the system. So this change was made for security reasons (your security).

My thanks to the devs for keeping on top of things!

1 Like

The main reason:

There seems to be an error in the upgrade script install/upgrade/versions/1.5.3.sh where it constructs the MariaDB apt repo URL (line 71)

Currently it is:

https ://mirror.mva-n.net/mariadb/repo//$VERSION $codename main

According to their download page it should be like:

https ://mirror.mva-n.net/mariadb/repo/10.5/debian bullseye main

so line 71 should be:

https ://mirror.mva-n.net/mariadb//repo/$mariadb_v/$VERSION $codename main

Thanks changed it.

Actually it seems that the correct syntax should be:

https ://mirror.mva-n.net/mariadb/repo/$mariadb_v/$os $codename main

Note: Currently there is an inconsistency between the install and upgrade scripts in how they derive the variables $VERSION and $os …

VERSION="$(lsb_release -s -r)"

For consistency reasons $VERSION should be the same in all 3 scripts (install/hst-install-debian.sh install/hst-install-ubuntu.sh and install/upgrade/versions/1.5.3.sh)

Since the “lsb-release” package isn’t installed by default on a minimal Debian, perhaps the best way to ensure consistency among the HestiaCP install/upgrade scripts would be for all 3 scripts to parse /etc/os-release to populate the $os $VERSION $codename $release etc the info.

$os = ID
$release = VERSION_ID

The /etc/os-release seems to be the universally supported option (for all Linux flavor from Debian/Ubuntu to CentOS/Fedora etc):

lsb_release is a dependency that we have added. So it should always be available…

I meant when you download the HestiaCP install script for the first time on your freshly provisioned Debian VPS, the lsb-release pkg might not be there.

I assume that’s why the install script on Debian has hardcoded values, whereas the one for Ubuntu uses lsb_release.

But for the upgrade script, you can use lsb_release, sure …

No that why we use:

Sure, all I’m saying is HestiaCP’s install/upgrade scripts are currently using 4 different ways (hardcoded strings, parsing /etc/debian-version, /etc/os-release and lsb-release) to derive some simple info like OS type, version and codename.

I just think it would be more consistent to just use the /etc/os-release file (which is offered by all current Linux OSes).

It’s a minor issue anyway …

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.