Bug#820910: apt no longer verifies repositories using sha1 hash

2017-11-30 Thread Ben Longbons
Package: apt
Version: 1.4.8
Followup-For: Bug #820910

Dear Maintainer,

This also affects pulling old stuff from snapshots.debian.org ... which
is a lot more useful when you can put `[check-valid-until=no]` in
sources.list, which is only in recent apt.

-- Package-specific info:

-- (no /etc/apt/preferences present) --


-- (no /etc/apt/preferences.d/* present) --


-- (/etc/apt/sources.list present, but not submitted) --


-- (no /etc/apt/sources.list.d/* present) --


-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apt depends on:
ii  adduser 3.115
ii  debian-archive-keyring  2017.5
ii  gpgv2.1.18-8~deb9u1
ii  init-system-helpers 1.48
ii  libapt-pkg5.0   1.4.8
ii  libc6   2.24-11+deb9u1
ii  libgcc1 1:6.3.0-18
ii  libstdc++6  6.3.0-18

Versions of packages apt recommends:
ii  gnupg   2.1.18-8~deb9u1
ii  gnupg2  2.1.18-8~deb9u1

Versions of packages apt suggests:
pn  apt-doc 
ii  aptitude0.8.7-1
ii  dpkg-dev1.18.24
ii  powermgmt-base  1.31+nmu1
pn  python-apt  

-- no debconf information



Bug#820910: apt no longer verifies repositories using sha1 hash

2016-04-13 Thread Julian Andres Klode
Control: severity -1 wishlist

On Wed, Apr 13, 2016 at 05:27:21PM +0200, Michal Suchanek wrote:
> Package: apt
> Version: 1.2.10
> Severity: important
> 
> Hello,
> 
> I tried to install a compiler from emdebian because there is no
> corresponding version in debian main archives and
> 
>  - apt warns that the source uses SHA1 hash
>  - the package is shown as untrusted

There are three types of failure:

001. Release file signed with GPG signature using SHA1
010. Release file containing no SHA256/SHA512 field for an index
100. Packages file containing no SHA256/SHA512 field for a package

And what happens is:
  001 => warns about repository/release file
  010 => errors about repository/release file
  100 => gives a hash sum mismatch AFAIUI

So you have both issues 001 and 100 with that repository, or what
do you mean by package is untrusted?

> 
> Since no exploit is known for sha1 apt (and aptitude) should show
> warning about weak hash but not show the packages as untrusted.

For the vast majority of SHA1 issues, that's the case. Only a small
minority of repositories is affected by the change in a strong way.

> 
> I canot tell totally unsigned packages from packages which use hash that
> Debian maintainers somehow dislike.

Yes, you can. Unsigned packages can be installed due to "reasons".

It's not about dislike. It's about having SHA1 repositories for 5 years
if we don't deprecate it now (due to Ubuntu LTS shipping that APT for 5
years).

We need to do some more work to get weakly signed repositories
treated as some form of untrusted, I'd expect that to arrive in the
next months.

We also need to generally rethink untrusted repository handling,
currently we have some magic flags like --allow-unauthenticated
and (--no)-allow-insecure-repositories; it would be much better
to make those configurable per source instead, and I'd like
the following behavior:

 Turn related errors into warnings

Following the slogan: Complain as hard as possible, even if the user
tells us it's OK. Maybe we can have some

I-Really-Know-What-I-Am-Doing-Do-Not-Warn-Me-About-Security

field for people to really disable even the warnings. If we do, it
should be unreasonable long, a pain to write, and convey what it is
doing in a very loud way, so users get the message. Otherwise people
write guides like:

""
Please add
   deb [trusted=yes] http://example.com/debian stable main
to your sources.list
""

If it says:

""
Please add
   deb [trusted=yes,ireallytrustthisevenifitisinsecuredonotwarnmeabout it=true] 
http://example.com/debian stable main
to your sources.list 
""

people are less likely to just do it...

> 
> This is unacceptable with many archives around using these hashes.

s/many/small minority of/

-- 
Debian Developer - deb.li/jak | jak-linux.org - free software dev

When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to (`inline'). Thank you.



Bug#820910: apt no longer verifies repositories using sha1 hash

2016-04-13 Thread Michal Suchanek
Package: apt
Version: 1.2.10
Severity: important

Hello,

I tried to install a compiler from emdebian because there is no
corresponding version in debian main archives and

 - apt warns that the source uses SHA1 hash
 - the package is shown as untrusted

Since no exploit is known for sha1 apt (and aptitude) should show
warning about weak hash but not show the packages as untrusted.

I canot tell totally unsigned packages from packages which use hash that
Debian maintainers somehow dislike.

This is unacceptable with many archives around using these hashes.

Thanks

Michal

-- Package-specific info:


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (910, 'testing'), (900, 'stable'), (610, 'oldstable'), (410, 
'unstable'), (400, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages apt depends on:
ii  adduser 3.114
ii  debian-archive-keyring  2014.3
ii  gnupg   1.4.20-5
ii  gnupg2  2.1.11-6
ii  gpgv1.4.20-5
ii  init-system-helpers 1.29
ii  libapt-pkg5.0   1.2.10
ii  libc6   2.22-5
ii  libgcc1 1:5.3.1-13
ii  libstdc++6  5.3.1-13

apt recommends no packages.

Versions of packages apt suggests:
ii  apt-doc 1.2.10
ii  aptitude0.7.5-3
ii  dpkg-dev1.18.4
ii  python-apt  1.1.0~beta2

-- no debconf information