Bug#808367: apt: defaults to allow insecure repos and documents it wrong

[Christoph Anton Mitterer <calestyo@scientia.net>]

Package: apt
Version: 1.1.5
Severity: normal
Tags: security


Hi.

Apparently, as per:
>apt (1.1~exp5) experimental; urgency=medium
>  * Change default of Acquire::AllowInsecureRepositories to "true"
>    so that this change is less disruptive, this will be switched
>    to "false" again after jessie

insecure repos are not completely forbidden, right now.

However, jessie is out and that hasn't been changed back.


Further the manpage even names a wrong default:
>       AllowInsecureRepositories
>           Allow the update operation to load data files from a repository
>           without a trusted signature. If enabled this option no data files
>           will be loaded and the update operation fails with a error for this
>           source. The default is false for backward compatibility. This will
>           be changed in the future.

I think the general problem here, is that the defaults in the manpages aren't
generated out of the code, which is always highly error prone.

Moroever, the above documentation text is quite ambiguous:
I'd expect that AllowInsecureRepositories=true means, that insecure repos are
allowed, right?
However, the text further says:
>If enabled this option no data files will be loaded and the update operation
>fails with a error

Shouldn't that read "if DISABLED"?


Cheers,
Chris.