On Mon, Jun 16, 2014 at 02:58:28PM +0200, Christoph Anton Mitterer wrote: > On Mon, 2014-06-16 at 09:35 +0200, Michael Vogt wrote: > > I think for the future we actually should not allow a apt-get update > > of untrusted repos without --allow-unauthenticated or > > [trusted=no]. But this will probably break some setups so we need to > > be careful and not rush it. > > And what about the setups, which assume secure data to be retrieved (as > far as I can see the whole build stack of Debian), which is already > broken now? > > Security is much more critical here then things continuing to work... if > someone's setup really depend on not verifying integrity... he will > immediately notice (and can add the flag),... but no one notices if his > security is compromised by MitMs... :-( > > So I see not much of a reason to not implement that right away.
Absolutely, security is (much!) more important. However with the fix that recently went into -security "apt-get source foo" will fail if foo comes from a not-authenticated source. What I wrote above is about not allowing "apt-get update" at all for unsigned repositories (unless --allow-unauthenticated is used). But maybe you are right and the warning that I added to git should be a error that tells the user to use --allow-unauthenticated if he/she really wants to use a repository that we can not authenticate. Cheers, Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
