Control: severity -1 wishlist On Wed, Apr 13, 2016 at 05:27:21PM +0200, Michal Suchanek wrote: > Package: apt > Version: 1.2.10 > Severity: important > > Hello, > > I tried to install a compiler from emdebian because there is no > corresponding version in debian main archives and > > - apt warns that the source uses SHA1 hash > - the package is shown as untrusted
There are three types of failure: 001. Release file signed with GPG signature using SHA1 010. Release file containing no SHA256/SHA512 field for an index 100. Packages file containing no SHA256/SHA512 field for a package And what happens is: 001 => warns about repository/release file 010 => errors about repository/release file 100 => gives a hash sum mismatch AFAIUI So you have both issues 001 and 100 with that repository, or what do you mean by package is untrusted? > > Since no exploit is known for sha1 apt (and aptitude) should show > warning about weak hash but not show the packages as untrusted. For the vast majority of SHA1 issues, that's the case. Only a small minority of repositories is affected by the change in a strong way. > > I canot tell totally unsigned packages from packages which use hash that > Debian maintainers somehow dislike. Yes, you can. Unsigned packages can be installed due to "reasons". It's not about dislike. It's about having SHA1 repositories for 5 years if we don't deprecate it now (due to Ubuntu LTS shipping that APT for 5 years). We need to do some more work to get weakly signed repositories treated as some form of untrusted, I'd expect that to arrive in the next months. We also need to generally rethink untrusted repository handling, currently we have some magic flags like --allow-unauthenticated and (--no)-allow-insecure-repositories; it would be much better to make those configurable per source instead, and I'd like the following behavior: Turn related errors into warnings Following the slogan: Complain as hard as possible, even if the user tells us it's OK. Maybe we can have some I-Really-Know-What-I-Am-Doing-Do-Not-Warn-Me-About-Security field for people to really disable even the warnings. If we do, it should be unreasonable long, a pain to write, and convey what it is doing in a very loud way, so users get the message. Otherwise people write guides like: "" Please add deb [trusted=yes] http://example.com/debian stable main to your sources.list "" If it says: "" Please add deb [trusted=yes,ireallytrustthisevenifitisinsecuredonotwarnmeabout it=true] http://example.com/debian stable main to your sources.list "" people are less likely to just do it... > > This is unacceptable with many archives around using these hashes. s/many/small minority of/ -- Debian Developer - deb.li/jak | jak-linux.org - free software dev When replying, only quote what is necessary, and write each reply directly below the part(s) it pertains to (`inline'). Thank you.