Frequently Asked Question

What is /etc/apt/sources.list and how do I add a third-party repository safely?

/etc/apt/sources.list and the files under /etc/apt/sources.list.d/ tell APT which repositories to consult. Each line names the type (deb for binaries, deb-src for sources), the URL of the mirror, the suite (e.g. noble, bookworm), and the components (main, restricted, universe, multiverse on Ubuntu; main, contrib, non-free, non-free-firmware on Debian). When you run apt update, every line here is fetched and its InRelease file signature verified.

The safe way to add a third-party repo today is: download the vendor's public key with curl, store it in /etc/apt/keyrings/<vendor>.gpg, then create /etc/apt/sources.list.d/<vendor>.list with a single line including signed-by=/etc/apt/keyrings/<vendor>.gpg. That binding ensures the key is trusted only for that specific repository, not for everything APT touches. The older apt-key add was deprecated in 2020 because a key in the global keyring could sign packages for any repository, an attacker who compromised one vendor's key could replace the entire libc6 package. Modern Ubuntu (24.04+) refuses to use globally trusted keys at all.