Hello Vadim, On Fri, Sep 27, 2013 at 8:34 AM, Markovtsev Vadim <v.markovt...@samsung.com> wrote: > Your patch works and indeed is better than mine. > The only thing that I suggest is to cache the setting before entering the > cycle:
Indeed, caching is better. Unfortunately the patch as included here opens a security hole… :/ The problem is: The code is marking all packages as untrusted so that the acquire code can later decide to acquire the package from an untrusted source – which in turn means that someone could have tempered with this source. So APT (and co) have to warn about this, even though at the stage it prints this message it isn't clear if it will really come from a trusted source or not. So, if you have an untrusted and a trusted source, with my patch above you will get no warning while you get a package from an untrusted source. That is bad. So, I redid the patch completely and said: Keep all packages which only have trusted sources as being trusted (so don't show warning for them), but if the package has at least one untrusted source mark it as untrusted so that the warning gets displayed and the acquire system can choose this source. (It can be any source, not just the first, as the acquire system can fall back) Nowadays, its really better to just enable [trusted=yes] in the sources.list if you can be sure that the source is trusted (e.g. local mirror) rather than this old workaround (to get pre-0.6 behavior) Best regards David Kalnischkies
0001-pkg-from-only-trusted-sources-keeps-being-trusted.patch
Description: Binary data
