Re: Downloading sources from an unsigned intranet repository

[Stuart Longland <stuartl@longlandclan.yi.org>]

On 06/10/14 19:43, Andrei POPESCU wrote:
> On Lu, 06 oct 14, 14:00:42, Stuart Longland wrote:
>> > 
>> > Now for whatever reason, if I want to *install* those packages.  No
>> > problem.  It'll ask whether I wish to install them even though no one
>> > can vouch (digitally) for them.
>> > 
>> > However, it fails to ask the same question when I tell it to download
>> > the package or its sources.
> This might be related to the recent security issues with APT, see
> 
>     DSA 2958-1
>     DSA 3025-1
>     DSA 3025-2
>     DSA 3031-1

Fair enough that it needs to do these checks.  I think it is correct
that it should *warn* people of the dangers.  If the repository
concerned is actually remote, then there is a very real risk of files
being tampered with en route.

If however the repository is just on a local machine then you can
probably safely ignore this risk.

When one types `apt-get install ${package}` and ${package} is unsigned,
this is indeed what happens.  It asks "are you sure", with the default
being "no".

The beef I have, is this not what happens if you do an `apt-get
download` or an `apt-get source`: in both those latter cases, it never
asks the question, it just flatly refuses to give you the sources.

Now, merely obtaining the binary package or sources, is surely much less
dangerous than actually *installing* the package?  One just dumps the
files in your local directory (a convenience around doing a `wget`
myself), the other unpacks them and places files in my root.

Is it just me, or is something backward here?
-- 
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.