On Tue, Sep 09, 2003 at 01:13:19AM -0400, Isaac Jones wrote: > Matt Zimmerman <[EMAIL PROTECTED]> writes: > > > Argh, this is a show-stopper I think. > > I disagree. It would still be good to offer the users the _ability_ to > use only secure sources (for sensitive systems, for instance). Also, > including the security features will allow users to start transitioning to > all secure sources, and give packages distributers incentive to secure > their own sources (especially if apt complains a bit). We can make this > less painful by adding features to tools like mini-dinstall.
I don't think it's particularly valid for apt to complain unless it can actually distinguish whether it is installing packages from insecure sources (which it cannot). If a warning is given when things are obviously insecure, users will take the lack of a warning to be a blessing. > > So there's no real security unless every one of your sources is > > authenticated. > > This has always been the case. Any package can do anything to your > system. Having a prompt lets you have an insecure source in sources.list without allowing it to sneak in a new version of a package that is currently installed from a secure source. It means that you can run "apt-get install foo" and know that you will not get an untrusted version of foo unless you explicitly sign off on it. It also means that if you find yourself about to install an untrusted package, you can do whatever is necessary in order to authenticate or audit the package before installing it. I think it provides a much smoother and safer upgrade path for existing users, most of which will have insecure sources. Their official Debian sources are automatically authenticated, and they are warned about everything else. > > These days, systems with unofficial sources in sources.list seem to be > > more common than those without. > > There's nothing that says only official sources can be secure :) See above; they have no particular incentive to become secure unless apt places roadblocks in front of untrusted packages, and if it does that without being able to differentiate accurately, it leads to a dangerous false sense of security. -- - mdz
