Daniel Burrows wrote:
[snip]
Having purged and reinstalled mplayer-nogui, aptitude in TUI mode does indeed warn me that doing so could compromise my system. Hurrah! :)
Also, reinstalling packages never needs to show a warning, because you're always installing the same package you already have installed (and which was presumably verified to your satisfaction).
Hm, this is true. But let's assume for a minute that Marillat's repository was broken into today, and an attacker replaced the mplayer_1.0-pre6-sarge0.1_i386.deb that was already there, with with a rebuilt one containing some evil code.
Now, I installed mplayer-nogui a few weeks ago, when I was able to verify the repository contents. But today when I asked aptitude to reinstall the package today, no warning was given--even though the .deb it subsequently installed could not be verified.
Of course it's possible that aptitude does some checking that the deb it downloaded has the the same contents as the one that was installed a few weeks ago--if this is so then there is no bug. :)
One thing I don't know is what will happen if a repository that was previously secure loses its signature -- I believe that when this happened to the Debian archive, I got a warning dialog about everything that I was trying to upgrade, but I may be misremembering now. It would be (colloquially) a serious bug if that was treated as an upgrade from insecure versions to insecure versions.
I believe this is what has happened to me, except that I was reinstalling the same package rather than updating.
In other words: what happens when you try to upgrade from the package versions installed from the secure version of Christian's archive to *different* versions installed from the insecure version?
Now that I have installed the package anyway, I can't test this behaviour the next time a package in Christian's repository is updated. :(
But from what you said above, it sounds like Aptitude does the right thing.
I have a further question: what happens if I installed a package from an unverified repository, that some time later became signed by its maintainer, and then I upgraded a package that resulted in a verified version being installed, and then later _again_, the repository signature went away? Actually, I suppose it wouldn't matter because 1) I'm unlikely to have the signing key randomly imported into apt-key, and 2) I asked for the package to be installed when it was not verifiable in the first place.
Daniel
Thanks,
-- Sam Morris http://robots.org.uk/
PGP key id 5EA01078 Fingerprint 3412 EA18 1277 354B 991B C869 B219 7FDB 5EA0 1078
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
