Bug#820910: apt no longer verifies repositories using sha1 hash
Package: apt Version: 1.4.8 Followup-For: Bug #820910 Dear Maintainer, This also affects pulling old stuff from snapshots.debian.org ... which is a lot more useful when you can put `[check-valid-until=no]` in sources.list, which is only in recent apt. -- Package-specific info: -- (no /etc/apt/preferences present) -- -- (no /etc/apt/preferences.d/* present) -- -- (/etc/apt/sources.list present, but not submitted) -- -- (no /etc/apt/sources.list.d/* present) -- -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apt depends on: ii adduser 3.115 ii debian-archive-keyring 2017.5 ii gpgv2.1.18-8~deb9u1 ii init-system-helpers 1.48 ii libapt-pkg5.0 1.4.8 ii libc6 2.24-11+deb9u1 ii libgcc1 1:6.3.0-18 ii libstdc++6 6.3.0-18 Versions of packages apt recommends: ii gnupg 2.1.18-8~deb9u1 ii gnupg2 2.1.18-8~deb9u1 Versions of packages apt suggests: pn apt-doc ii aptitude0.8.7-1 ii dpkg-dev1.18.24 ii powermgmt-base 1.31+nmu1 pn python-apt -- no debconf information
Bug#820910: apt no longer verifies repositories using sha1 hash
Control: severity -1 wishlist On Wed, Apr 13, 2016 at 05:27:21PM +0200, Michal Suchanek wrote: > Package: apt > Version: 1.2.10 > Severity: important > > Hello, > > I tried to install a compiler from emdebian because there is no > corresponding version in debian main archives and > > - apt warns that the source uses SHA1 hash > - the package is shown as untrusted There are three types of failure: 001. Release file signed with GPG signature using SHA1 010. Release file containing no SHA256/SHA512 field for an index 100. Packages file containing no SHA256/SHA512 field for a package And what happens is: 001 => warns about repository/release file 010 => errors about repository/release file 100 => gives a hash sum mismatch AFAIUI So you have both issues 001 and 100 with that repository, or what do you mean by package is untrusted? > > Since no exploit is known for sha1 apt (and aptitude) should show > warning about weak hash but not show the packages as untrusted. For the vast majority of SHA1 issues, that's the case. Only a small minority of repositories is affected by the change in a strong way. > > I canot tell totally unsigned packages from packages which use hash that > Debian maintainers somehow dislike. Yes, you can. Unsigned packages can be installed due to "reasons". It's not about dislike. It's about having SHA1 repositories for 5 years if we don't deprecate it now (due to Ubuntu LTS shipping that APT for 5 years). We need to do some more work to get weakly signed repositories treated as some form of untrusted, I'd expect that to arrive in the next months. We also need to generally rethink untrusted repository handling, currently we have some magic flags like --allow-unauthenticated and (--no)-allow-insecure-repositories; it would be much better to make those configurable per source instead, and I'd like the following behavior: Turn related errors into warnings Following the slogan: Complain as hard as possible, even if the user tells us it's OK. Maybe we can have some I-Really-Know-What-I-Am-Doing-Do-Not-Warn-Me-About-Security field for people to really disable even the warnings. If we do, it should be unreasonable long, a pain to write, and convey what it is doing in a very loud way, so users get the message. Otherwise people write guides like: "" Please add deb [trusted=yes] http://example.com/debian stable main to your sources.list "" If it says: "" Please add deb [trusted=yes,ireallytrustthisevenifitisinsecuredonotwarnmeabout it=true] http://example.com/debian stable main to your sources.list "" people are less likely to just do it... > > This is unacceptable with many archives around using these hashes. s/many/small minority of/ -- Debian Developer - deb.li/jak | jak-linux.org - free software dev When replying, only quote what is necessary, and write each reply directly below the part(s) it pertains to (`inline'). Thank you.
Bug#820910: apt no longer verifies repositories using sha1 hash
Package: apt Version: 1.2.10 Severity: important Hello, I tried to install a compiler from emdebian because there is no corresponding version in debian main archives and - apt warns that the source uses SHA1 hash - the package is shown as untrusted Since no exploit is known for sha1 apt (and aptitude) should show warning about weak hash but not show the packages as untrusted. I canot tell totally unsigned packages from packages which use hash that Debian maintainers somehow dislike. This is unacceptable with many archives around using these hashes. Thanks Michal -- Package-specific info: -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (910, 'testing'), (900, 'stable'), (610, 'oldstable'), (410, 'unstable'), (400, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages apt depends on: ii adduser 3.114 ii debian-archive-keyring 2014.3 ii gnupg 1.4.20-5 ii gnupg2 2.1.11-6 ii gpgv1.4.20-5 ii init-system-helpers 1.29 ii libapt-pkg5.0 1.2.10 ii libc6 2.22-5 ii libgcc1 1:5.3.1-13 ii libstdc++6 5.3.1-13 apt recommends no packages. Versions of packages apt suggests: ii apt-doc 1.2.10 ii aptitude0.7.5-3 ii dpkg-dev1.18.4 ii python-apt 1.1.0~beta2 -- no debconf information