Re: apt-build - Authentication warning overridden. - security issue?
Cyril Brulebois:
> Patrick Schleizer <adrelanos@riseup.net> (2015-03-18):
>> Hi,
>>
>> I was running:
>> sudo apt-build install ccache
>>
>> And the output contained a message:
>>
>> WARNING: The following packages cannot be authenticated!
>> ccache
>> Authentication warning overridden.
>>
>> Is this just how apt-build works or could this be a security issue due
>> to installing unauthenticated packages?
>
> It probably wouldn't happen if the source snippet added at
> installation time would be using “deb [trusted=yes]” instead of just
> “deb”. Manually editing /etc/apt/sources.list.d/apt-build.list seems
> to confirm that. [...]
That works for me on jessie, but not on wheezy.
But... Doesn't this just silence the warning? I mean, adding
'[trusted=yes]' to the local apt line is safe, sure. But the original
issue was, that the message 'Authentication warning overridden.' is auto
generated. I.e. apt-build used apt-get in a way to ignore such warnings.
There is one line in apt-build source code that includes '-o
Apt::Get::AllowUnauthenticated=true'. So if some other packages from a
remote repository could not be authenticated, another 'Authentication
warning overridden.' could happen?
For testing purposed, I removed the part '-o
Apt::Get::AllowUnauthenticated=true' from apt-build. 'apt-build install'
is still functional. I don't understand the code to say if that is a
good idea. What do you think? Should that part be removed?
Cheers,
Patrick
Reply to: