ShockwaveNN
commented
4 years ago Hi, it's just default repo name we used, we always check our package on new releases of Debian and Ubutnu, so everything should be fine
Open plinss opened 4 years ago
ShockwaveNN
commented
4 years ago Hi, it's just default repo name we used, we always check our package on new releases of Debian and Ubutnu, so everything should be fine
plinss
commented
4 years ago I know the package works fine on Buster, I’m asking you to add release files for more recent distros than squeeze, it can be the same deb file. Or simply switch to ‘stable’. Having apt source files refer to a distro that’s 4 major versions out of date is annoying. It also doesn’t play nice with automation systems like Ansible and I expect it’s causing issues for some security scanning software too.
And frankly, if you’re checking your packages on different distros, you should advertise that fact by having packages tagged for those distros. Installing packages with mismatched distro names makes sysadmins nervous, never knowing when all kinds of dependency hell is going to break loose.
ShockwaveNN
commented
4 years ago Yeah, I'll agree this is not ideal situation, we'll try to fix it in future
Assigned to @SergeMalkin according to instruction by @DenisDeeSign
plinss
commented
4 years ago Thanks!
Can I suggest that when you update the instructions, you also bring them into line with Debian best practices? See: https://wiki.debian.org/DebianRepository/UseThirdParty
In a nutshell:
1) Don't add the GPG key to the system trust store, this allows it to be used to sign any package, from any repo. Instead download it to /usr/share/keyrings/onlyoffice-archive-keyring.gpg and change the source file to refer to that key, e.g.:
deb [signed-by=/usr/share/keyrings/onlyoffice-archive-keyring.gpg] https://download.onlyoffice.com/repo/debian buster main
This ensures that any packages downloaded from your repo are signed by your key, and your key only, and your key can't be used to sign any packages from other repos.
2) Create a preferences file: /etc/apt/preferences.d/onlyoffice with the contents:
Package: *
Pin: origin "download.onlyoffice.com"
Pin-Priority: 100(feel free to put a more specific glob pattern for the 'Package' value, e.g. Package: dumb-init mono-webserver-hyperfastcgi onlyoffice onlyoffice-* r7-office-* would cover your current packages, but so long as the Pin-Priority is below 500 this isn't really necessary.)
This ensures that packages downloaded from your repo will not replace packages from the Debian repos, or any other repo with a higher pin-priority.
iwkse
commented
4 years ago Hi, just adding it here as I found it after I opened the issue:
https://github.com/ONLYOFFICE/DocumentServer/issues/1054
Please also provide debian package sources as well. From what I can see, the backends are ELF binary files and I can't find the sources of that.
The Debian package install instructions list:
sudo echo "deb https://download.onlyoffice.com/repo/debian squeeze main" | sudo tee /etc/apt/sources.list.d/onlyoffice.listDebian Squeeze is, a bit, dated. I know that the packages work fine on Buster, it'd be nice to be able to specify 'buster' in the apt source file (or better 'stable')
What is the current behavior?
Installing an apt source file matching the current distro results in an error.
What is the expected behavior?
Installation works.
Did this work in previous versions of DocumentServer?
DocumentServer version:
5.5.3
Operating System:
Debian 10.4
Browser version:
n/a