Install script (script.deb.sh) needs updating to reflect Debian best-practice

Re: https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh

The mechanism used for key handling is not inline with Debian best-practices.

As per https://wiki.debian.org/DebianRepository/UseThirdParty:

“The key MUST be downloaded over a secure mechanism like HTTPS to a location only writable by root, which SHOULD be /usr/share/keyrings. The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add. A sources.list entry SHOULD have the signed-by option set. The signed-by entry MUST point to a file, and not a fingerprint.”

I suggest you open an issue on the Gitlab project here: GitLab.org / GitLab · GitLab

Then a dev could look at and resolve the issue. It won’t be resolved by posting about it on the community forums, since it requires a dev to look at it.

1 Like