Re: unsigned repositories

To: Sam Hartman <hartmans@debian.org>
Cc: deity@lists.debian.org, debian-devel@lists.debian.org
Subject: Re: unsigned repositories
From: Eduard Bloch <edi@gmx.de>
Date: Sun, 14 Jul 2019 21:23:57 +0200
Message-id: <[🔎] 20190714192357.GA21097@rotes76.wohnheim.uni-kl.de>
Mail-followup-to: Sam Hartman <hartmans@debian.org>, deity@lists.debian.org, debian-devel@lists.debian.org
In-reply-to: <[🔎] tsllfx0wkuc.fsf@suchdamage.org>
References: <[🔎] 20190709204321.GA10923@debian.org> <[🔎] 20190714000345.GA16815@debian.org> <[🔎] tslh87ozsv9.fsf@suchdamage.org> <[🔎] 20190714180026.GA9581@rotes76.wohnheim.uni-kl.de> <[🔎] tsllfx0wkuc.fsf@suchdamage.org>

Hallo,
* Sam Hartman [Sun, Jul 14 2019, 02:07:55PM]:
> >>>>> "Eduard" == Eduard Bloch <edi@gmx.de> writes:
>
>     Eduard> Hallo, * Sam Hartman [Sun, Jul 14 2019, 08:46:18AM]:
>     >> >>>>> "Julian" == Julian Andres Klode <jak@debian.org> writes:
>     >>
>     >> Please carefully consider uses of apt besides the system level
>     >> apt running as root installing packages on the system.
>     >>
>     >> What about when I use the apt libraries to explore some
>     >> repository and parse its packages files etc.  Asking people to go
>     >> set up the keys for some of these use cases seems like a lot of
>     >> work.
>
>     Eduard> IMHO this could and should be mitigated. I.e. give people a
>     Eduard> tool they can work with without studying rocket science,
>     Eduard> following the spirit of letsencrypt etc., which handles the
>     Eduard> snakeoil key handling in a lazy way.
>
> Most of the repository generation tools these days do a fairly good job
> of signing the release file.

I am looking at this from the POV of a regular/lazy user. The next best
tool here is apt-ftparchive. Does it help you with signing? No. Does its
manpage even mention InRelease signing in any way? Not really.

Therefore, the critical voices in this thread are right - too early to
enforce strict signing.

> What I'm more worried about is configuring the client apt library in
> cases where you are using it for things other than the main apt instance
> on the system.

Understood, but what's the plan? Shouldn't this be another part of the
apt-secure manpage? Showing the user configuration examples for the few
main usecases?

Best regards,
Eduard.

Reply to:

Follow-Ups:
- Re: unsigned repositories
  - From: Russ Allbery <rra@debian.org>
- Re: unsigned repositories
  - From: Jeremy Stanley <fungi@yuggoth.org>

References:
- Dropping Release and Release.gpg support from APT
  - From: Julian Andres Klode <jak@debian.org>
- unsigned repositories (was: Re: Dropping Release and Release.gpg support from APT)
  - From: Julian Andres Klode <jak@debian.org>
- Re: unsigned repositories
  - From: Sam Hartman <hartmans@debian.org>
- Re: unsigned repositories
  - From: Eduard Bloch <edi@gmx.de>
- Re: unsigned repositories
  - From: Sam Hartman <hartmans@debian.org>

Prev by Date: Re: systemd services that are not equivalent to LSB init scripts
Next by Date: Re: unsigned repositories
Previous by thread: Re: unsigned repositories
Next by thread: Re: unsigned repositories
Index(es):
- Date
- Thread