Bug#757534: apt: use --require-valid-signature option to dpkg-source for "apt-get source" by default

To: Michael Gilbert <mgilbert@debian.org>, 757534@bugs.debian.org
Subject: Bug#757534: apt: use --require-valid-signature option to dpkg-source for "apt-get source" by default
From: David Kalnischkies <david@kalnischkies.de>
Date: Sat, 16 Aug 2014 13:27:12 +0200
Message-id: <[🔎] 20140816112712.GA1749@crossbow>
Reply-to: David Kalnischkies <david@kalnischkies.de>, 757534@bugs.debian.org
In-reply-to: <[🔎] CANTw=MMcNU3hB7F_SE=L7awa5ZseseVoXmzA0Rrc=z8LtoUGWA@mail.gmail.com>
References: <[🔎] CANTw=MMcNU3hB7F_SE=L7awa5ZseseVoXmzA0Rrc=z8LtoUGWA@mail.gmail.com>

On Fri, Aug 08, 2014 at 07:54:07PM -0400, Michael Gilbert wrote:
> "apt-get source" currently shows messages about invalid signatures,
> but goes on to extract the source anyway, and the error text is kind
> of easy to miss as well.
> 
> A more secure default would be to use the --require-valid-signature
> option to dpkg-source.

This requires an up-to-date debian-keyring package is installed, which
is both beefy in size and even the unstable version isn't always current
(not to mention in stable), so that this will fail on perfectly fine
source packages, which defeats the purpose as false positives will teach
people to ignore such errors (It would also mean that this should be at
least a recommends of apt as it should really be possible to get the
source for debian packages without too much fuzz which makes it scary).

> Note that changes here may lead to a lot of ftbfs bugs for packages
> with bad sigs, but that's a good thing.  Those need a new sig anyway.

Minus security bugs in apt, it doesn't add anything and the problem of
getting all keys remains: the package is (kinda by design – and wasn't
it discussed to remove it entirely?) always out of date and online
updates (via default protocols) are subject to MITM (as well), so I see
not much point. On the contrary, it isn't --no-check as the checksum
check doesn't hurt (and I guess --no-check was not available back then)
– the sig check on the other hand seems to be confusing as proven here.
I at least don't understand where you get the idea from that packages
would have bad sigs and would need new sigs. I guess some dsc are signed
by keys which are expired now one way or another, but they were good at
the time they entered the archive (and at this point the sig on the dsc
looses most of its value), a bad sig would mean it was bad from the
start…

I recognize that we miss an option to add this option if you choose so
though while for the directly following dpkg-buildpackage you can change
the options given to it. I have written a trivial patch to fix this
(option Dpkg::Source-Options with default value '-x'). Note that this
can be done already with a wrapper script set via dir::bin::dpkg-source
if you so choose. I will mark this bug as closed with this change.

Best regards

David Kalnischkies

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Bug#757534: apt: use --require-valid-signature option to dpkg-source for "apt-get source" by default
  - From: Michael Gilbert <mgilbert@debian.org>

Prev by Date: Re: Where is /etc/apt/apt.conf ?
Next by Date: Bug#757906: Dependency solution problems currently with gnuplog
Previous by thread: Bug#757534: apt: use --require-valid-signature option to dpkg-source for "apt-get source" by default
Next by thread: Bug#757534: marked as done (apt: use --require-valid-signature option to dpkg-source for "apt-get source" by default)
Index(es):
- Date
- Thread