Suggestions to improve debian repository instructions

with regards to the documentation on debian package repositories i’d like to suggest the following improvements.

  • instead of using sudo apt-key add - users should be instructed to save the key file to /usr/share/keyrings/seafile-keyring.asc
  • the seafile.list file should then have [arch=amd64 signed-by=/usr/share/keyrings/seafile-keyring.asc] instead of just [arch=amd64] to tell apt where to find the right key for this particular repository
  • it is advised by debian that the key should be available as a binary format file with extension *.gpg instead of the ASCII-armored *.asc format; if you’d replace your current (ASCII) seafile.key with a binary exported seafile-keyring.gpg, adjust the former suggestions accordingly. note that apt will only accept ASCII keys with *.asc extension or binary keys with *.gpg extension, they must not be mixed up, and *.key should not be used
  • the server address should always use https instead of http

the benefit of this is enhanced security. keys added using apt-key add are all added to a global keyring (/etc/apt/trusted.gpg). this old method doesn’t specify for which repo a key is meant to be used, but package lists signed by any present key are silently accepted as trustworthy.

Thanks! We’ll look at the keyring suggestion. Actually https has been enabled from the beginning. It’s just not mentioned in the documentation.

thanks for adjusting the docs!

just one more detail: i’ve noticed that sudo wget might store the keyring file without reading privileges for other users, then apt complains about the key being unavailable. correcting for this right after the wget call will fix this:

sudo wget -O /usr/share/keyrings/seafile-keyring.asc
chmod go+r /usr/share/keyrings/seafile-keyring.asc