cri-o homepage at https://cri-o.io recommends unsafe way of adding kubic keyring on Debian based systems

[EmmanuelKasper]

The main page of the https://cri-o.io/ website recommends the following:

curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/Release.key | apt-key add -
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | apt-key add -

however the uses of apt-key gives system wide trust to the kubic keyring, which means packages contained in the kubic repo and signed by the kubic release key could override core system packages

the current recommendation for Debian based systems is to limit the scope of trust of a keyring to its associated package repository, as documented in https://wiki.debian.org/DebianRepository/UseThirdParty#Sources.list_entry

The install.md file has the correct way of adding the kubic keyring, however it is not reflected in the cri-o web site.

[haircommander]

thank you for opening @EmmanuelKasper ! do you have any interest in updating the website?

[EmmanuelKasper]

Yes I can update this part in the website, should that be a pull request, and if yes, which file contains the cri-o.io homepage ?