Bug#749795: apt: no authentication checks for source packages
On Mon, Jun 16, 2014 at 02:58:28PM +0200, Christoph Anton Mitterer wrote:
> On Mon, 2014-06-16 at 09:35 +0200, Michael Vogt wrote:
> > I think for the future we actually should not allow a apt-get update
> > of untrusted repos without --allow-unauthenticated or
> > [trusted=no]. But this will probably break some setups so we need to
> > be careful and not rush it.
>
> And what about the setups, which assume secure data to be retrieved (as
> far as I can see the whole build stack of Debian), which is already
> broken now?
>
> Security is much more critical here then things continuing to work... if
> someone's setup really depend on not verifying integrity... he will
> immediately notice (and can add the flag),... but no one notices if his
> security is compromised by MitMs... :-(
>
> So I see not much of a reason to not implement that right away.
Absolutely, security is (much!) more important.
However with the fix that recently went into -security "apt-get source
foo" will fail if foo comes from a not-authenticated source. What I
wrote above is about not allowing "apt-get update" at all for unsigned
repositories (unless --allow-unauthenticated is used). But maybe you
are right and the warning that I added to git should be a error that
tells the user to use --allow-unauthenticated if he/she really wants
to use a repository that we can not authenticate.
Cheers,
Michael
Reply to: