On Mon, Jun 16, 2014 at 11:18:27AM +0200, Jakub Wilk wrote:
> * Michael Vogt , 2014-06-16, 09:35:
> >+ _error->Warning(_("The data from '%s' is not signed. All packages from "
> >+ "that repository can not be authenticated."),
>
> s/can not/cannot/
>
> Also, "All" with a neg
On Mon, Jun 16, 2014 at 02:58:28PM +0200, Christoph Anton Mitterer wrote:
> On Mon, 2014-06-16 at 09:35 +0200, Michael Vogt wrote:
> > I think for the future we actually should not allow a apt-get update
> > of untrusted repos without --allow-unauthenticated or
> > [trusted=no]. But this will pro
On Mon, 2014-06-16 at 09:35 +0200, Michael Vogt wrote:
> I think for the future we actually should not allow a apt-get update
> of untrusted repos without --allow-unauthenticated or
> [trusted=no]. But this will probably break some setups so we need to
> be careful and not rush it.
And what abou
* Michael Vogt , 2014-06-16, 09:35:
+ _error->Warning(_("The data from '%s' is not signed. All packages from "
+ "that repository can not be authenticated."),
s/can not/cannot/
Also, "All" with a negated verb sounds awkward to me (but that may be
due to my non-native-eng
On Fri, May 30, 2014 at 03:21:20PM +0200, Michael Vogt wrote:
[..]
> > Hmm. There is no warning suggesting that anything fishy is going on,
> > and the exit code indicates success. (Perhaps the "Ign"s could raise
> > suspicion of an observant sysadmin. But who knows what "Ign" exactly
> > means? At
On Thu, Jun 12, 2014 at 11:44:20AM +0200, Thijs Kinkhorst wrote:
[..]
> > apt: no authentication checks for source packages
>
> The Debian security team has assigned CVE-2014-0478 to this issue.
[..]
> As for squeeze, if it's not too much extra work it would be great if an
> update for squeeze was
Hi Michael,
On Thu, June 12, 2014 13:52, Michael Vogt wrote:
> On Thu, Jun 12, 2014 at 11:44:20AM +0200, Thijs Kinkhorst wrote:
>> > apt: no authentication checks for source packages
>>
>> The Debian security team has assigned CVE-2014-0478 to this issue.
>>
>> APT developers: we should fix this i
On Thu, Jun 12, 2014 at 11:44:20AM +0200, Thijs Kinkhorst wrote:
> > apt: no authentication checks for source packages
>
> The Debian security team has assigned CVE-2014-0478 to this issue.
>
> APT developers: we should fix this in wheezy. Are you able to provide an
> update for wheezy for this i
On Thu, Jun 12, 2014 at 11:44:20AM +0200, Thijs Kinkhorst wrote:
> Hi,
>
> > apt: no authentication checks for source packages
>
> The Debian security team has assigned CVE-2014-0478 to this issue.
>
> APT developers: we should fix this in wheezy. Are you able to provide an
> update for wheezy f
Hi,
> apt: no authentication checks for source packages
The Debian security team has assigned CVE-2014-0478 to this issue.
APT developers: we should fix this in wheezy. Are you able to provide an
update for wheezy for this issue?
As for squeeze, if it's not too much extra work it would be great
On Sat, May 31, 2014 at 12:07:48AM +0200, David Kalnischkies wrote:
> On Fri, May 30, 2014 at 03:21:20PM +0200, Michael Vogt wrote:
> > >From b7f501b5cc8583f61467f0c7a0282acbb88e4b29 Mon Sep 17 00:00:00 2001
> > From: Michael Vogt
> > Date: Fri, 30 May 2014 14:47:56 +0200
> > Subject: [PATCH] Show
On Fri, May 30, 2014 at 03:21:20PM +0200, Michael Vogt wrote:
> >From b7f501b5cc8583f61467f0c7a0282acbb88e4b29 Mon Sep 17 00:00:00 2001
> From: Michael Vogt
> Date: Fri, 30 May 2014 14:47:56 +0200
> Subject: [PATCH] Show unauthenticated warning for source packages as well
>
> This will show the s
On Thu, May 29, 2014 at 11:04:35PM +0200, Jakub Wilk wrote:
> Package: apt
> Version: 1.0.3
> Severity: grave
> Tags: security
Thanks for your bugreport. You raise a important issue, but I agree
with David that its best if this goes through the security team for
coordination.
> I've been investi
On Thu, May 29, 2014 at 11:04:35PM +0200, Jakub Wilk wrote:
> Package: apt
> Version: 1.0.3
> Severity: grave
> Tags: security
(personally, this feels a bit high. Mostly as deb-src isn't even part of
many default configurations in which apt is found. And in those where
you find it, you probably
Package: apt
Version: 1.0.3
Severity: grave
Tags: security
I've been investigating how apt behaves when the repository doesn't
contain any Release signatures (possibly because they were stripped off
by a man-in-the-middle attacker).
This is what I found out:
| # cat /etc/apt/sources.list
| d
15 matches
Mail list logo
