[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#878958: apt: let admins decide security matters not the apt team

Package: apt
Version: 1.4.8
Severity: wishlist

Dear Maintainer,

Aptitude developers have taken the liberty of deciding for everyone
subjectively what quality of cryptographic signature is adequate for
everyone in a single sweeping decision, without knowing the individual
threat models and assets that the decision is trying to protect.  This
decision is in the wrong hands.  Sys admins are accountable for the
security of the systems they control, and so responsibility and
control should go to the same people who have accountability.

Specifically, consider the SHA1 removal, documented here:

  https://wiki.debian.org/Teams/Apt/Sha1Removal

If the apt team must decide on everyones security standards, blocking
SHA1 was a good move.  But that's not the case.  The apt suite of
tools could have some sensible defaults as far as which signing
algorithms are accepted or not, but ultimately the admin should be in
control of her own system.  Maybe an admin finds SHA256 insufficient,
and requires an even higher standard.  Who is the apt team to tell her
which algorithm she may and may not trust?

There is a hack to say trust all, which can even be used on a per
repository basis or all repositories, but this is the wrong mechanism
as it disables validity checking entirely.  The sys admin should
control which algorithms are fit for purpose, and the apt tool should
check validity on admin-permitted algorithms.

-- Package-specific info:

-- (no /etc/apt/preferences present) --


-- (no /etc/apt/preferences.d/* present) --


-- (/etc/apt/sources.list present, but not submitted) --


-- (/etc/apt/sources.list.d/gc2latex.list present, but not submitted) --


-- (/etc/apt/sources.list.d/gc2latex.list.save present, but not submitted) --


-- (/etc/apt/sources.list.d/gc2latex.list~ present, but not submitted) --


-- (/etc/apt/sources.list.d/ring-nightly-main.list present, but not submitted) --


-- (/etc/apt/sources.list.d/ring-nightly-main.list.save present, but not submitted) --


-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=1508228706 WARNING torsocks[12992]: [syscall] Unsupported syscall number 217. Denying the call (in tsocks_syscall() at syscall.c:488)
UTF-8), LANGUAGE=en_US.UTF-8 (charmap=1508228706 WARNING torsocks[12994]: [syscall] Unsupported syscall number 217. Denying the call (in tsocks_syscall() at syscall.c:488)
UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apt depends on:
ii  adduser                 3.115
ii  debian-archive-keyring  2017.5
ii  gpgv                    2.1.18-8~deb9u1
ii  init-system-helpers     1.48
ii  libapt-pkg5.0           1.4.8
ii  libc6                   2.24-11+deb9u1
ii  libgcc1                 1:6.3.0-18
ii  libstdc++6              6.3.0-18

Versions of packages apt recommends:
ii  gnupg  2.1.18-8~deb9u1

Versions of packages apt suggests:
pn  apt-doc         <none>
ii  aptitude        0.8.7-1
ii  dpkg-dev        1.18.24
ii  powermgmt-base  1.31+nmu1
pn  python-apt      <none>
ii  synaptic        0.84.2

-- debconf information excluded
Reply to: