unsigned repositories (was: Re: Dropping Release and Release.gpg support from APT)
On Tue, Jul 09, 2019 at 08:53:04PM +0200, Julian Andres Klode wrote:
> So,
>
> we currently have code dealing with falling back from InRelease
> to Release{,.gpg} and it's all a bit much IMO. Now that buster
> has been released with an InRelease file, the time has IMO come for
> us to drop support for the old stuff from APT!
One thing also forgotten in all that excitement is unsigned
repositories and repositories without a *Release file.
Now, I'd argue that having support for these repositories, while
convenient, is wrong: I think it makes a lot more sense for people
to "needlessly" sign repositories and not have those code paths in
apt. Because if we have a mistake in these code paths and accidentally
don't verify a signature, that's really bad; but if you needlessly
sign a repository, it's hardly much effort.
We can maybe significantly reduce that risk by just providing a
fake gpgv that successfully verifies any file passed and using
that for unsigned repositories instead, and just you know, fake-sign
the repository (like serve an InRelease file without an actual
signature).
I mean, I don't really know, but I always feel a bit scared by
how complex the verification stuff is.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
Reply to: