[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#678990: marked as done (does not state URL of unauthenticated/unsigned packages)

Your message dated Fri, 14 Aug 2015 10:57:50 +0200
with message-id <20150814085750.GA18019@crossbow>
and subject line Re: does not state domain of unauthenticated/unsigned packages
has caused the Debian Bug report #678990,
regarding does not state URL of unauthenticated/unsigned packages
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
678990: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678990
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: apt
Version: 0.9.5.1

I am testing code on the debian-testing-i386-DVD-1.iso,
as it was on 2012 06 11.

I gave the command:
apt-get install ttf-dejavu
.
It output some info, including 
"
The following NEW packages will be installed:
  ttf-dejavu ttf-dejavu-extra
"
It did not state where it would obtain these packages from.
It asked me whether to proceed.
I answered "y".

It replied
"
WARNING: The following packages cannot be authenticated!
  ttf-dejavu-extra ttf-dejavu
Install these packages without verification [y/N]?"

I would prefer that it tell me where these packages will come from, 
if I were to ask it to proceed.
I would like it to tell me BEFORE I ask it to proceed.

If it will obtain the packages from my hard disk or from a local 
CR-ROM, then I can make a decision.
But if these packages are to come over the Internet, then I require a 
valid signature, before proceeding.

Please alter apt-get to give the user/sys-admin this necessary 
information BEFORE he decides whether to proceed with the install.

This will become more important when it becomes common-place to 
install over Wi-Fi, using Wi-Fi 'hotspots'.

I had edited /etc/apt/sources.list, it contains:
deb    file:///media/cdrom0/ wheezy contrib main
.

Best regards
Richard Betham

--- End Message ---
--- Begin Message --- 
Hi

On Mon, Jun 25, 2012 at 05:41:05PM +0100, Richard Betham wrote:
> On second thoughts:
> When a lot of packages are asked for, it would be better if apt were 
> to state the domain names (and perhaps the dist names) of the 
> unsigned-for packages.
> This would serve my purposes adequately, provided that the 
> information is available before I decide to proceed with installaion 
> of unsigned packages.

sources which you trust even through they have no signature can be
marked as trusted=yes nowadays (as documented in sources.list manpage).
So local sources/cdrom can be marked this way.

Other sources not marked as such will generate this big warning, which
is always bad, regardless of the source they come from as
ftp.example.org isn't inherently more trustable than ftp2.example.org.
In fact, given that they provide unauthenticated packages is a hint that
something is very very fishy, regardless of the exact source, but
splitting it by source suggests that there is a difference and one of
them could somehow be more trusted than the other. Also, an
unexperienced user might see big names here thinking "okay, that is
probably okay" while actually an attack was performed on him hiding
under this name (see man-in-the-middle).

So, longer output & potential for dangerous misunderstandings – I don't
think we should not do this and hence I am closing as wontfix.


Best regards

David Kalnischkies

Attachment: signature.asc
Description: Digital signature


--- End Message ---
Reply to: