[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#203741: apt-secure

On Wed, Sep 10, 2003 at 10:39:41PM -0400, Isaac Jones wrote:

> Matt Zimmerman <mdz@debian.org> writes:
> 
> > I don't think it's particularly valid for apt to complain unless it can
> > actually distinguish whether it is installing packages from insecure
> > sources (which it cannot).  If a warning is given when things are
> > obviously insecure, users will take the lack of a warning to be a
> > blessing.
> 
> So apt knows about insecure sources and can warn the user about that.  I'm
> not sure how strongly you meant the "show stopper" comment, but I think it
> is far more desirable to give a transition path toward all secure sources
> in the next release than to punt until we work out dpkg issues.  There are
> still lots of options open for the user interface (see below).

apt can only warn at update time about insecure sources.  If a single
insecure source is present, it causes all sorts of problems:

 - any package requested by the user for installation or upgrade could come
   from an untrusted source without warning

 - the user gets accustomed to seeing the warning on every update, and could
   easily miss a new warning about a supposedly secure source

> > See above; they have no particular incentive to become secure unless apt
> > places roadblocks in front of untrusted packages, 
> 
> Or in front of untrusted sources :)

What do you have in mind?  Complaining every time the user runs apt-get
update would only serve to numb their response to the error messages (that's
the effect it would have on me, anyway).

> We can definitely get around that.  My suggestion would be that in
> this release (if you feel that we don't have time to change dpkg to
> allow your interface), we:
> 
> * default to allowing insecure sources unless the user passes a flag
> to disallow it, and
> 
> * sometime soon, we default to disallowing insecure sources unless the
> user passes a flag to allow it.
> 
> Both flags will be available in the first release.  This should keep
> everyone happy.  People who want only secure sources can have real
> security (by passing the flag), the default behavior won't change for
> the first release, which gives users time to update any scripts, and
> the plan to change the default will give source administrators time
> (and insentive!) to update their sources before they become broken.
> 
> I would even be a fan of defaulting to disallow insecure sources in
> this release by default, but I suspect that would piss people off.

I don't think we can even think about defaulting to rejecting insecure
sources until we've provided some simple tools for importing keys into the
trusted keyring and generating Release files.  The latter sounds like an
extension to apt-ftparchive.  I'm not sure what the former should look like.
A wrapper around gpg --import/--recv-keys?

-- 
 - mdz
Reply to: