Bug#203741: apt-secure
On Mon, Sep 22, 2003 at 11:16:03AM -0400, Isaac Jones wrote:
> Matt Zimmerman <mdz@debian.org> writes:
>
> > What is the migration path that you are suggesting? That we check
> > signatures where they are available, and where they are not, warn the user
> > during apt-get update? I suppose this is better than nothing.
>
> I think we should give the user an option to disallow insecure
> sources --secure-only, so update fails on insecure sources. This is
> good for people with sensitive systems. People will be excited about
> the feature and they _will_ start securing their sources, especially
> if we promise that this will someday be the default.
Mind if I start CCing things to the BTS? I'd like to keep a record of the
discussion and keep others in the loop.
> We should also give the user an option to allow insecure sources,
> which would be the default --ignore-insecure.
>
> The logic behind the flag names is that right now we're checking
> sources, maybe in the future, we'll be able to check packages (that's
> why the flag isn't --secure-sources-only). No promise to the end user
> about how it's done, but apt basically has a secure mode and a
> insecure mode.
>
> Whether or not to warn the user during update if they are in "insecure
> mode" is up to you. I think thats a good idea, and it'll help bring
> attention to the new security features. The important part, IMHO, is to
> give users the ability to secure their machines if they want, and to give
> source maintainers ample warning that security is coming and they should
> jump on the bandwagon.
I guess this is reasonable...have a "require verification" config option or
such, and if it is true, verification errors will be fatal, and if it is
false, verification errors will be warnings.
I definitely feel that this is very valuable, but according the release
schedule that AJ set forth, changes to major packages like apt should
already be done by now in order for things to go forward. :-/
--
- mdz
Reply to: