Re: Downloading sources from an unsigned intranet repository
On Mon 06 Oct 2014 at 21:13:17 +1000, Stuart Longland wrote:
> On 06/10/14 19:43, Andrei POPESCU wrote:
> > On Lu, 06 oct 14, 14:00:42, Stuart Longland wrote:
> >> >
> >> > Now for whatever reason, if I want to *install* those packages. No
> >> > problem. It'll ask whether I wish to install them even though no one
> >> > can vouch (digitally) for them.
> >> >
> >> > However, it fails to ask the same question when I tell it to download
> >> > the package or its sources.
> > This might be related to the recent security issues with APT, see
> >
> > DSA 2958-1
> > DSA 3025-1
> > DSA 3025-2
> > DSA 3031-1
>
> Fair enough that it needs to do these checks. I think it is correct
> that it should *warn* people of the dangers. If the repository
> concerned is actually remote, then there is a very real risk of files
> being tampered with en route.
>
> If however the repository is just on a local machine then you can
> probably safely ignore this risk.
Please take a look at sources.list(5)
The format for a sources.list entry using the deb and deb-src types is:
deb [ options ] uri distribution [component1] [component2] [...]
See whether [ options ] could do anything for you.
Reply to: