Matt Zimmerman <firstname.lastname@example.org> writes:
> What is the migration path that you are suggesting? That we check
> signatures where they are available, and where they are not, warn the user
> during apt-get update? I suppose this is better than nothing.
I think we should give the user an option to disallow insecure
sources --secure-only, so update fails on insecure sources. This is
good for people with sensitive systems. People will be excited about
the feature and they _will_ start securing their sources, especially
if we promise that this will someday be the default.
We should also give the user an option to allow insecure sources,
which would be the default --ignore-insecure.
The logic behind the flag names is that right now we're checking
sources, maybe in the future, we'll be able to check packages (that's
why the flag isn't --secure-sources-only). No promise to the end user
about how it's done, but apt basically has a secure mode and a
Whether or not to warn the user during update if they are in "insecure
mode" is up to you. I think thats a good idea, and it'll help bring
attention to the new security features. The important part, IMHO, is
to give users the ability to secure their machines if they want, and
to give source maintainers ample warning that security is coming and
they should jump on the bandwagon.
I feel that the combination of SELinux with "apt-secure" will make a
damn secure system, and would be very valuable in Sarge. I think that
there are people who will switch to Debian for this feature.