Hi, Julian already comented on most, so let me just pick up the rest. On Sun, Sep 06, 2015 at 07:49:03AM +0200, Johannes Schauer wrote: > Quoting Thorsten Glaser (2015-09-05 23:21:47) > > >Support repositories without a release file is deprecated, and warnings will be > > >shown in such cases. Michael actually want(ed) to set Acquire::AllowInsecureRepositories=0 by default for stretch already. I talked him into keeping it at =1 for the time being, but even I see no reason to set it not to =0 for buster. Note that this talks about insecure repositories which is the scary name for unsigned repositories – which repositories without a Release file are only a subset of. Just that unsigned is easy to sidestep with trusted=yes. > what is the rationale behind deprecating repositories without > Is it just to simplify code on the apt side? Is there a feature that only works > if all repositories have a release file? (There are actually a few tricks pulled which can only be done with Release files, but they are all optional and "optimizations", so I am not going to use them as reasons) The rational is indeed simplification of code – it is surprisingly non-trivial to download files securely, its even harder if you have at each point to provide a loophole for unsecured files while avoiding that a supposed to be secured file steps through the loophole – but not only for us, but by everyone reusing our files and data. Implementing e.g. warnings for unauthenticated packages is busy work and often forgotten in frontends resulting in grave security holes. It is also a huge usability problem: As long as we support unsigned repositories we can at most warn about them. That means that a MITM who just sends 404 for the Release files gets you to download his data files and all we can show is a warning – and if we are 'lucky' some frontend will pick it up and use it just as if it would be perfectly signed (or the attacker has knowledge of a decompressor bug). So supporting unsigned has a significant cost not only in apt itself, but in everything working with repositories. In comparison, creating a Release file can e.g. be done in a single apt-ftparchive call. Any reasonable archive creation tool creates them already anyway. Then just mark it as trusted=yes if its local – or sign it if not which isn't hard either and a super good idea anyhow in that case. So yes, lets make repository handling KISS because that is what you want if you deal with security related things. Best regards David Kalnischkies
Attachment:
signature.asc
Description: Digital signature