Bug#203741: apt-secure

To: Isaac Jones <ijones@syntaxpolice.org>, 203741@bugs.debian.org
Cc: Jason Gunthorpe <jgg@debian.org>, Colin Walters <walters@verbum.org>
Subject: Bug#203741: apt-secure
From: Matt Zimmerman <mdz@debian.org>
Date: Tue, 9 Sep 2003 09:34:17 -0400
Message-id: <[🔎] 20030909133417.GK30008@alcor.net>
Reply-to: Matt Zimmerman <mdz@debian.org>, 203741@bugs.debian.org
In-reply-to: <[🔎] 87n0dev91s.fsf@syntaxpolice.org>
References: <[🔎] 20030908231518.GA30008@alcor.net> <[🔎] Pine.LNX.3.96.1030908203706.8794A-100000@wakko.debian.net> <[🔎] 20030909043815.GF30008@alcor.net> <[🔎] 87n0dev91s.fsf@syntaxpolice.org>

On Tue, Sep 09, 2003 at 01:13:19AM -0400, Isaac Jones wrote:

> Matt Zimmerman <mdz@debian.org> writes:
> 
> > Argh, this is a show-stopper I think.  
> 
> I disagree.  It would still be good to offer the users the _ability_ to
> use only secure sources (for sensitive systems, for instance).  Also,
> including the security features will allow users to start transitioning to
> all secure sources, and give packages distributers incentive to secure
> their own sources (especially if apt complains a bit).  We can make this
> less painful by adding features to tools like mini-dinstall.

I don't think it's particularly valid for apt to complain unless it can
actually distinguish whether it is installing packages from insecure sources
(which it cannot).  If a warning is given when things are obviously
insecure, users will take the lack of a warning to be a blessing.

> > So there's no real security unless every one of your sources is
> > authenticated.
> 
> This has always been the case.  Any package can do anything to your
> system.

Having a prompt lets you have an insecure source in sources.list without
allowing it to sneak in a new version of a package that is currently
installed from a secure source.  It means that you can run "apt-get install
foo" and know that you will not get an untrusted version of foo unless you
explicitly sign off on it.  It also means that if you find yourself about to
install an untrusted package, you can do whatever is necessary in order to
authenticate or audit the package before installing it.

I think it provides a much smoother and safer upgrade path for existing
users, most of which will have insecure sources.  Their official Debian
sources are automatically authenticated, and they are warned about
everything else.

> > These days, systems with unofficial sources in sources.list seem to be
> > more common than those without.
> 
> There's nothing that says only official sources can be secure :)

See above; they have no particular incentive to become secure unless apt
places roadblocks in front of untrusted packages, and if it does that
without being able to differentiate accurately, it leads to a dangerous
false sense of security.

-- 
 - mdz

Reply to:

Follow-Ups:
- Bug#203741: apt-secure
  - From: Isaac Jones <ijones@syntaxpolice.org>

References:
- Bug#203741: apt-secure
  - From: Matt Zimmerman <mdz@debian.org>
- Bug#203741: apt-secure
  - From: Jason Gunthorpe <jgg@debian.org>
- Bug#203741: apt-secure
  - From: Matt Zimmerman <mdz@debian.org>
- Bug#203741: apt-secure
  - From: Isaac Jones <ijones@syntaxpolice.org>

Prev by Date: Bug#203741: apt-secure
Next by Date: Bug#203741: apt-secure
Previous by thread: Bug#203741: apt-secure
Next by thread: Bug#203741: apt-secure
Index(es):
- Date
- Thread