Bug#203741: apt-secure

To: Colin Walters <walters@verbum.org>
Cc: 203741@bugs.debian.org, Isaac Jones <ijones@syntaxpolice.org>
Subject: Bug#203741: apt-secure
From: Matt Zimmerman <mdz@debian.org>
Date: Mon, 8 Sep 2003 10:12:24 -0400
Message-id: <[🔎] 20030908141224.GD18829@alcor.net>
Reply-to: Matt Zimmerman <mdz@debian.org>, 203741@bugs.debian.org
In-reply-to: <[🔎] 1062993758.23885.29.camel@columbia>
References: <[🔎] 1062993758.23885.29.camel@columbia>

On Mon, Sep 08, 2003 at 12:02:39AM -0400, Colin Walters wrote:

> First of all, despite what we were saying initially on IRC, if you're
> prompting before the packages are actually downloaded, then there are no
> problems with polluting the cache, no?

The problem situation I was talking about is where someone downloads a
package, then changes their trust policy, then runs an upgrade/install.
Since the package is already downloaded, under the current setup I don't
think they get the warning.  Since the user should be able to change their
policy and have it take effect immediately, this should be fixed.  I'm
looking into the pkgDepCache changes now.

> The other issue about displaying which sources (in addition to which
> packages) were insecure is probably less pressing.

I am concerned about the potential length of that warning message, if it
includes the source.  There is no short, unique identifier for it currently.
If 100 packages are being installed and the source name is displayed, I
think the message would end up being 100 lines long.  Since it currently
displays only the package name, it takes advantage of the existing code to
provide a nicely formatted list which is not too large.

The problem situation you're describing, if I understand correctly, is where
the user has an insecure source that they want packages from regularly, and
have another insecure source which they do not want packages from regularly,
and should be able to see at a glance that packages are coming from the
unexpected insecure source rather than the expected one.

If so, I agree that this is minor, as any source being used for regular
regular upgrades should probably be secured.

Which reminds me; we need to whip up some tools to make this easy.  How is
this done for the Debian archive?  Maybe we can borrow those tools, or use
them for comparison.

> On Sun, 2003-09-07 at 16:10, Matt Zimmerman wrote:
> > Oh, another thing.  The error/warning situation could probably use some
> > cleanup.  While at this point, someone who installs the new code on an
> > existing setup will continue to have a functional apt (with the addition of
> > the confirmation question), but they will get a bunch of warnings from
> > apt-get update as it tries to verify signatures and finds that it doesn't
> > have a keyring (or maybe even gnupg).
> 
> We should have apt Depend: on gnupg, and also ship a default keyring
> with the Debian ftp keys, perhaps with a prompt for whether or not to
> trust the keys.

I'm wary of a Depends: on gnupg, since apt is fully functional without it.
We should definitely ship some keys by default, but if we ship them in the
form of a gnupg keyring, rather than exported keys, I think we can avoid the
dependency and just copy the keyring into place (assuming that gnupg
keyrings are reasonably portable across versions).

> > - It looks like pkgAcqIndexRel isn't used anymore.  If this is correct, I
> >   think we should remove it.
> 
> I think this is still used for semi-obscure pinning purposes.  We should
> probably try to merge that back into the main Release file.

In current apt CVS, it is only used in debindexfile.cc to fetch the Release
file.  Since the the metaindex stuff does that now, it's obsolete and I
think it should be removed.

One thing that pkgAcqIndexRel does that pkgAcqMetaIndex doesn't do is the
Custom600Headers bit, which I think definitely should be added to
pkgAcqMetaIndex  (unless you intentionally wanted it to be fetched every
time).

> > - I'm torn about how to handle the situation where a Release file is
> > signed, but the public key isn't available.  On one hand, I don't want
> > to issue a warning all the time, because I think it will be a normal
> > situation.
> 
> This doesn't seem like a very normal situation - if you don't trust the
> source, then you don't trust the source, and you should see a warning.

I think the warning during update is superfluous because the user will be
asked for confirmation when installing packages.  I might add a source to my
sources.list that I don't generally trust, knowing that apt will ask for
confirmation before installing packages from it.  However, I would still get
a warning on every single apt-get update.

-- 
 - mdz

Reply to:

Follow-Ups:
- Bug#203741: apt-secure
  - From: Adam Heath <doogie@debian.org>
- Bug#203741: apt-secure
  - From: Jason Gunthorpe <jgg@debian.org>

References:
- Bug#203741: apt-secure
  - From: Colin Walters <walters@verbum.org>

Prev by Date: Bug#208547: apt: doesn't notice the package is alreaady the newest version
Next by Date: Processed: Re: Bug#209215: apt-listchanges uninstallable in sarge
Previous by thread: Bug#203741: apt-secure
Next by thread: Bug#203741: apt-secure
Index(es):
- Date
- Thread