Bug#776562: marked as done (apt: Please document explicitly that "apt-get --force-yes" may allow unauthenticated packages to be installed)
Your message dated Thu, 4 Feb 2016 00:13:40 +0100
with message-id <20160204001151.GA9220@debian.org>
and subject line Re: Bug#776562: apt: Please document explicitly that "apt-get --force-yes" may allow unauthenticated packages to be installed
has caused the Debian Bug report #776562,
regarding apt: Please document explicitly that "apt-get --force-yes" may allow unauthenticated packages to be installed
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
776562: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776562
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apt: Please document explicitly that "apt-get --force-yes" may allow unauthenticated packages to be installed
- From: Axel Beckert <abe@debian.org>
- Date: Thu, 29 Jan 2015 11:28:59 +0100
- Message-id: <87d25x6ftg.fsf@kiva6.ethz.ch>
Package: apt
Version: 1.0.9.6
Severity: wishlist
Tags: security
Dear APT Developers,
apt-get(8) states:
--force-yes
Force yes; this is a dangerous option that will cause apt to
continue without prompting if it is doing something
potentially harmful. It should not be used except in very
special situations. Using force-yes can potentially destroy
your system! Configuration Item: APT::Get::force-yes.
Please mention explicitly that this may cause unauthenticated packages
to be installed.
Reasoning:
Many people seem to assume that the aforementioned words "dangerous" and
"harmful" imply broken stuff or inconsistencies, i.e. stuff doesn't work
anymore afterwards.
They don't expect or at least don't think of security-related issues
like e.g. a compromised system which you may not notice immediately.
Examples of bug reports caused due this assumption:
* https://github.com/grml/grml-debootstrap/issues/62 (grml-debootstrap;
upstream bug report)
* https://bugs.debian.org/776487 (in xen-tools; initially reported
upstream, bug exists since 2005)
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (600, 'testing'), (500, 'buildd-unstable'), (400, 'stable'), (110, 'experimental'), (1, 'buildd-experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.18.0-trunk-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages apt depends on:
ii debian-archive-keyring 2014.3
ii gnupg 1.4.18-6
ii libapt-pkg4.12 1.0.9.6
ii libc6 2.19-13
ii libgcc1 1:4.9.2-10
ii libstdc++6 4.9.2-10
apt recommends no packages.
Versions of packages apt suggests:
ii apt-doc 1.0.9.6
ii aptitude 0.6.11-1+b1
ii dpkg-dev 1.17.23
ii python-apt 0.9.3.11
ii wajig 2.17
-- no debconf information
--- End Message ---
--- Begin Message ---
- To: 776562-done@bugs.debian.org
- Subject: Re: Bug#776562: apt: Please document explicitly that "apt-get --force-yes" may allow unauthenticated packages to be installed
- From: Julian Andres Klode <jak@debian.org>
- Date: Thu, 4 Feb 2016 00:13:40 +0100
- Message-id: <20160204001151.GA9220@debian.org>
- In-reply-to: <87d25x6ftg.fsf@kiva6.ethz.ch>
- References: <87d25x6ftg.fsf@kiva6.ethz.ch>
Version: 1.1~exp9
On Thu, Jan 29, 2015 at 11:28:59AM +0100, Axel Beckert wrote:
> Package: apt
> Version: 1.0.9.6
> Severity: wishlist
> Tags: security
>
> Dear APT Developers,
>
> apt-get(8) states:
>
> --force-yes
> Force yes; this is a dangerous option that will cause apt to
> continue without prompting if it is doing something
> potentially harmful. It should not be used except in very
> special situations. Using force-yes can potentially destroy
> your system! Configuration Item: APT::Get::force-yes.
>
> Please mention explicitly that this may cause unauthenticated packages
> to be installed.
We deprecated --force-yes in 1.1~exp9 and you should use --allow-unauthenticated
now instead (if you want that, and/or other --allow options), so I think we can
close this now.
--
Julian Andres Klode - Debian Developer, Ubuntu Member
See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to (`inline'). Thank you.
--- End Message ---
Reply to: