Re: apt-build - Authentication warning overridden. - security issue?
Brett Parker: On 18 Mar 16:27, Patrick Schleizer wrote: Hi, I was running: sudo apt-build install ccache And the output contained a message: WARNING: The following packages cannot be authenticated! ccache Authentication warning overridden. Have you tried updating the debian-archive-keyring package, and rerunning apt-get update? Yes. All packages were 'apt-get update apt-get dist-upgrade' before running this experiment. Earlier in this thread we figured out why this is happening. Cheers, Patrick -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/557c4407.9020...@riseup.net
Re: apt-build - Authentication warning overridden. - security issue?
On 18 Mar 16:27, Patrick Schleizer wrote: Hi, I was running: sudo apt-build install ccache And the output contained a message: WARNING: The following packages cannot be authenticated! ccache Authentication warning overridden. Have you tried updating the debian-archive-keyring package, and rerunning apt-get update? Thanks, -- Brett Parker -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150429151558.GG32036@miranda
Re: apt-build - Authentication warning overridden. - security issue?
Dear security team! Paul Wise thinks this is a security issue Paul Wise: This is a security issue, [...] I was running: sudo apt-build install ccache And the output contained a message: WARNING: The following packages cannot be authenticated! ccache Authentication warning overridden. Is this just how apt-build works or could this be a security issue due to installing unauthenticated packages? public: yes [posted on debian-security mailing list] versions affected: all suites how to fix: no idea Cheers, Patrick -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/550aa61c.9080...@riseup.net
Re: apt-build - Authentication warning overridden. - security issue?
Hi, I think you probably just need to run apt-get update before apt-get install... It's definitly not a security issue deserving the attention of the security team. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: apt-build - Authentication warning overridden. - security issue?
Holger Levsen: I think you probably just need to run apt-get update before apt-get install... I did that, I am sure of it. Reproduced this on two different systems. Cheers, Patrick -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/550ab274.50...@riseup.net
Re: apt-build - Authentication warning overridden. - security issue?
Hi, On Donnerstag, 19. März 2015, Patrick Schleizer wrote: I think you probably just need to run apt-get update before apt-get install... I did that, I am sure of it. Reproduced this on two different systems. can you put the output of apt-get update and apt-cache policy on paste.debian.net? cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: apt-build - Authentication warning overridden. - security issue?
Patrick Schleizer adrela...@riseup.net (2015-03-18): Hi, I was running: sudo apt-build install ccache And the output contained a message: WARNING: The following packages cannot be authenticated! ccache Authentication warning overridden. Is this just how apt-build works or could this be a security issue due to installing unauthenticated packages? It probably wouldn't happen if the source snippet added at installation time would be using “deb [trusted=yes]” instead of just “deb”. Manually editing /etc/apt/sources.list.d/apt-build.list seems to confirm that. See /var/lib/dpkg/info/apt-build.postinst: debline=deb file:$repository_dir apt-build main Mraw, KiBi. signature.asc Description: Digital signature
Re: apt-build - Authentication warning overridden. - security issue?
Holger Levsen: Hi, On Donnerstag, 19. März 2015, Patrick Schleizer wrote: I think you probably just need to run apt-get update before apt-get install... I did that, I am sure of it. Reproduced this on two different systems. can you put the output of apt-get update and apt-cache policy on paste.debian.net? Done: http://paste.debian.net/162076/ And for completness sake, I also added the output of apt-build install hello. Cheers, Patrick -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/550ae629.4050...@riseup.net
Re: apt-build - Authentication warning overridden. - security issue?
Cyril Brulebois: Patrick Schleizer adrela...@riseup.net (2015-03-18): Hi, I was running: sudo apt-build install ccache And the output contained a message: WARNING: The following packages cannot be authenticated! ccache Authentication warning overridden. Is this just how apt-build works or could this be a security issue due to installing unauthenticated packages? It probably wouldn't happen if the source snippet added at installation time would be using “deb [trusted=yes]” instead of just “deb”. Manually editing /etc/apt/sources.list.d/apt-build.list seems to confirm that. [...] That works for me on jessie, but not on wheezy. But... Doesn't this just silence the warning? I mean, adding '[trusted=yes]' to the local apt line is safe, sure. But the original issue was, that the message 'Authentication warning overridden.' is auto generated. I.e. apt-build used apt-get in a way to ignore such warnings. There is one line in apt-build source code that includes '-o Apt::Get::AllowUnauthenticated=true'. So if some other packages from a remote repository could not be authenticated, another 'Authentication warning overridden.' could happen? For testing purposed, I removed the part '-o Apt::Get::AllowUnauthenticated=true' from apt-build. 'apt-build install' is still functional. I don't understand the code to say if that is a good idea. What do you think? Should that part be removed? Cheers, Patrick -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/550aee86.7000...@riseup.net
Re: apt-build - Authentication warning overridden. - security issue?
On Thu, Mar 19, 2015 at 12:27 AM, Patrick Schleizer wrote: Is this just how apt-build works or could this be a security issue due to installing unauthenticated packages? This is a security issue, please take a look at this page: https://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAKTje6EFMcA7=k55-brgaoj4_uvylkxh4zbm8-nxds-bh-b...@mail.gmail.com
