[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Downloading sources from an unsigned intranet repository

On Mon 06 Oct 2014 at 21:13:17 +1000, Stuart Longland wrote:

> On 06/10/14 19:43, Andrei POPESCU wrote:
> > On Lu, 06 oct 14, 14:00:42, Stuart Longland wrote:
> >> > 
> >> > Now for whatever reason, if I want to *install* those packages.  No
> >> > problem.  It'll ask whether I wish to install them even though no one
> >> > can vouch (digitally) for them.
> >> > 
> >> > However, it fails to ask the same question when I tell it to download
> >> > the package or its sources.
> > This might be related to the recent security issues with APT, see
> > 
> >     DSA 2958-1
> >     DSA 3025-1
> >     DSA 3025-2
> >     DSA 3031-1
> 
> Fair enough that it needs to do these checks.  I think it is correct
> that it should *warn* people of the dangers.  If the repository
> concerned is actually remote, then there is a very real risk of files
> being tampered with en route.
> 
> If however the repository is just on a local machine then you can
> probably safely ignore this risk.

Please take a look at sources.list(5)

  The format for a sources.list entry using the deb and deb-src types is:

          deb [ options ] uri distribution [component1] [component2] [...]

See whether [ options ] could do anything for you.
Reply to: