On Fri, Aug 08, 2014 at 07:54:07PM -0400, Michael Gilbert wrote: > "apt-get source" currently shows messages about invalid signatures, > but goes on to extract the source anyway, and the error text is kind > of easy to miss as well. > > A more secure default would be to use the --require-valid-signature > option to dpkg-source. This requires an up-to-date debian-keyring package is installed, which is both beefy in size and even the unstable version isn't always current (not to mention in stable), so that this will fail on perfectly fine source packages, which defeats the purpose as false positives will teach people to ignore such errors (It would also mean that this should be at least a recommends of apt as it should really be possible to get the source for debian packages without too much fuzz which makes it scary). > Note that changes here may lead to a lot of ftbfs bugs for packages > with bad sigs, but that's a good thing. Those need a new sig anyway. Minus security bugs in apt, it doesn't add anything and the problem of getting all keys remains: the package is (kinda by design – and wasn't it discussed to remove it entirely?) always out of date and online updates (via default protocols) are subject to MITM (as well), so I see not much point. On the contrary, it isn't --no-check as the checksum check doesn't hurt (and I guess --no-check was not available back then) – the sig check on the other hand seems to be confusing as proven here. I at least don't understand where you get the idea from that packages would have bad sigs and would need new sigs. I guess some dsc are signed by keys which are expired now one way or another, but they were good at the time they entered the archive (and at this point the sig on the dsc looses most of its value), a bad sig would mean it was bad from the start… I recognize that we miss an option to add this option if you choose so though while for the directly following dpkg-buildpackage you can change the options given to it. I have written a trivial patch to fix this (option Dpkg::Source-Options with default value '-x'). Note that this can be done already with a wrapper script set via dir::bin::dpkg-source if you so choose. I will mark this bug as closed with this change. Best regards David Kalnischkies
Attachment:
signature.asc
Description: Digital signature