Bug#203741: apt-secure

To: Matt Zimmerman <mdz@debian.org>
Cc: 203741@bugs.debian.org, Jason Gunthorpe <jgg@debian.org>, Colin Walters <walters@verbum.org>
Subject: Bug#203741: apt-secure
From: Isaac Jones <ijones@syntaxpolice.org>
Date: Wed, 10 Sep 2003 22:39:41 -0400
Message-id: <[🔎] 877k4gaw0i.fsf@syntaxpolice.org>
Reply-to: Isaac Jones <ijones@syntaxpolice.org>, 203741@bugs.debian.org
In-reply-to: <[🔎] 20030909133417.GK30008@alcor.net> (Matt Zimmerman's message of "Tue, 9 Sep 2003 09:34:17 -0400")
References: <[🔎] 20030908231518.GA30008@alcor.net> <[🔎] Pine.LNX.3.96.1030908203706.8794A-100000@wakko.debian.net> <[🔎] 20030909043815.GF30008@alcor.net> <[🔎] 87n0dev91s.fsf@syntaxpolice.org> <[🔎] 20030909133417.GK30008@alcor.net>

Matt Zimmerman <mdz@debian.org> writes:

> I don't think it's particularly valid for apt to complain unless it can
> actually distinguish whether it is installing packages from insecure sources
> (which it cannot).  If a warning is given when things are obviously
> insecure, users will take the lack of a warning to be a blessing.

So apt knows about insecure sources and can warn the user about that.
I'm not sure how strongly you meant the "show stopper" comment, but I
think it is far more desirable to give a transition path toward all
secure sources in the next release than to punt until we work out dpkg
issues.  There are still lots of options open for the user interface
(see below).

> I think it provides a much smoother and safer upgrade path for existing
> users, most of which will have insecure sources.  Their official Debian
> sources are automatically authenticated, and they are warned about
> everything else.

I agree that what you wanted was better.  I'm only arguing that not
having this is not, in fact, a show stopper.  The user can still have
secure sources, and people who care will put pressure on the
maintainers of the unofficial sources to secure them.  Thats what
they've been doing to us :)

> See above; they have no particular incentive to become secure unless apt
> places roadblocks in front of untrusted packages, 

Or in front of untrusted sources :)

> and if it does that without being able to differentiate accurately,
> it leads to a dangerous false sense of security.

We can definitely get around that.  My suggestion would be that in
this release (if you feel that we don't have time to change dpkg to
allow your interface), we:

* default to allowing insecure sources unless the user passes a flag
to disallow it, and

* sometime soon, we default to disallowing insecure sources unless the
user passes a flag to allow it.

Both flags will be available in the first release.  This should keep
everyone happy.  People who want only secure sources can have real
security (by passing the flag), the default behavior won't change for
the first release, which gives users time to update any scripts, and
the plan to change the default will give source administrators time
(and insentive!) to update their sources before they become broken.

I would even be a fan of defaulting to disallow insecure sources in
this release by default, but I suspect that would piss people off.

peace,

isaac

Reply to:

Follow-Ups:
- Bug#203741: apt-secure
  - From: Matt Zimmerman <mdz@debian.org>

References:
- Bug#203741: apt-secure
  - From: Matt Zimmerman <mdz@debian.org>
- Bug#203741: apt-secure
  - From: Jason Gunthorpe <jgg@debian.org>
- Bug#203741: apt-secure
  - From: Matt Zimmerman <mdz@debian.org>
- Bug#203741: apt-secure
  - From: Isaac Jones <ijones@syntaxpolice.org>
- Bug#203741: apt-secure
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Bug#210159: marked as done (/usr/bin/apt-get: trigger error for --tar-only, --diff-only when not used with "source")
Next by Date: Bug#203741: apt-secure
Previous by thread: Bug#203741: apt-secure
Next by thread: Bug#203741: apt-secure
Index(es):
- Date
- Thread