forbid insecure repositories by default expect in apt-get

With this commit all APT-based clients default to refusing to work with unsigned or otherwise insufficently secured repositories. In terms of apt and apt-get this changes nothing, but it effects all tools using libapt like aptitude, synaptic or packagekit. The exception remains apt-get for stretch for now as this might break too many scripts/usecases too quickly. The documentation is updated and extended to reflect how to opt out or in on this behaviour change. Closes: 808367
author: David Kalnischkies <david@kalnischkies.de> 2016-03-18 14:46:24 +0100
committer: David Kalnischkies <david@kalnischkies.de> 2016-06-22 14:05:01 +0200
commit: 952ee63b0af14a534c0aca00c11d1a99be6b22b2 (patch)
tree: 098154a03b1616e00289074eda11d4bee72ead8c
parent: b1bdfe682054ea6fc202416968c5342d59b403b1 (diff)
5 files changed, 68 insertions, 40 deletions
diff --git a/apt-pkg/init.cc b/apt-pkg/init.cc
index a41d604d3..c77e8e2fe 100644
--- a/apt-pkg/init.cc
+++ b/apt-pkg/init.cc
@@ -86,10 +86,7 @@ bool pkgInitConfig(Configuration &Cnf)
    Cnf.Set("Dir::Ignore-Files-Silently::", "\\.distUpgrade$");
 
    // Repository security
-   // FIXME: this is set to "true" for backward compatibility, once
-   //        jessie is out we want to change this to "false" to
-   //        improve security
-   Cnf.CndSet("Acquire::AllowInsecureRepositories", true);
+   Cnf.CndSet("Acquire::AllowInsecureRepositories", false);
    Cnf.CndSet("Acquire::AllowDowngradeToInsecureRepositories", false);
 
    // Default cdrom mount point
diff --git a/apt-private/private-cmndline.cc b/apt-private/private-cmndline.cc
index ba64c5b46..481c23c94 100644
--- a/apt-private/private-cmndline.cc
+++ b/apt-private/private-cmndline.cc
@@ -372,7 +372,6 @@ std::vector<CommandLine::Args> getCommandArgs(APT_CMD const Program, char const
    return Args;
 }
 									/*}}}*/
-#undef CmdMatches
 #undef addArg
 static void ShowHelpListCommands(std::vector<aptDispatchWithHelp> const &Cmds)/*{{{*/
 {
@@ -445,15 +444,22 @@ static void BinarySpecificConfiguration(char const * const Binary)	/*{{{*/
       _config->CndSet("Binary::apt::APT::Get::Upgrade-Allow-New", true);
       _config->CndSet("Binary::apt::APT::Cmd::Show-Update-Stats", true);
       _config->CndSet("Binary::apt::DPkg::Progress-Fancy", true);
-      _config->CndSet("Binary::apt::Acquire::AllowInsecureRepositories", false);
       _config->CndSet("Binary::apt::APT::Keep-Downloaded-Packages", false);
    }
+   if (binary == "apt-config")
+      _config->CndSet("Binary::apt-get::Acquire::AllowInsecureRepositories", true);
 
    _config->Set("Binary", binary);
-   std::string const conf = "Binary::" + binary;
-   _config->MoveSubTree(conf.c_str(), NULL);
 }
 									/*}}}*/
+static void BinaryCommandSpecificConfiguration(char const * const Binary, char const * const Cmd)/*{{{*/
+{
+   std::string const binary = flNotDir(Binary);
+   if (binary == "apt-get" && CmdMatches("update"))
+      _config->CndSet("Binary::apt-get::Acquire::AllowInsecureRepositories", true);
+}
+#undef CmdMatches
+									/*}}}*/
 std::vector<CommandLine::Dispatch> ParseCommandLine(CommandLine &CmdL, APT_CMD const Binary,/*{{{*/
       Configuration * const * const Cnf, pkgSystem ** const Sys, int const argc, const char *argv[],
       bool (*ShowHelp)(CommandLine &), std::vector<aptDispatchWithHelp> (*GetCommands)(void))
@@ -481,11 +487,14 @@ std::vector<CommandLine::Dispatch> ParseCommandLine(CommandLine &CmdL, APT_CMD c
    // Args running out of scope invalidates the pointer stored in CmdL,
    // but we don't use the pointer after this function, so we ignore
    // this problem for now and figure something out if we have to.
-   std::vector<CommandLine::Args> Args;
+   char const * CmdCalled = nullptr;
    if (Cmds.empty() == false && Cmds[0].Handler != nullptr)
-      Args = getCommandArgs(Binary, CommandLine::GetCommand(Cmds.data(), argc, argv));
-   else
-      Args = getCommandArgs(Binary, nullptr);
+      CmdCalled = CommandLine::GetCommand(Cmds.data(), argc, argv);
+   if (CmdCalled != nullptr)
+      BinaryCommandSpecificConfiguration(argv[0], CmdCalled);
+   std::string const conf = "Binary::" + _config->Find("Binary");
+   _config->MoveSubTree(conf.c_str(), nullptr);
+   auto Args = getCommandArgs(Binary, CmdCalled);
    CmdL = CommandLine(Args.data(), _config);
 
    if (CmdL.Parse(argc,argv) == false ||
diff --git a/doc/apt-get.8.xml b/doc/apt-get.8.xml
index 20d761075..8fc6cc26d 100644
--- a/doc/apt-get.8.xml
+++ b/doc/apt-get.8.xml
@@ -563,8 +563,9 @@
 
      <varlistentry><term><option>--no-allow-insecure-repositories</option></term>
      <listitem><para>Forbid the update command to acquire unverifiable
-     data from configured sources. Apt will fail at the update command
-     for repositories without valid cryptographically signatures.
+     data from configured sources. APT will fail at the update command
+     for repositories without valid cryptographically signatures. See
+     also &apt-secure; for details on the concept and the implications.
 
      Configuration Item: <literal>Acquire::AllowInsecureRepositories</literal>.</para></listitem>
      </varlistentry>
diff --git a/doc/apt-secure.8.xml b/doc/apt-secure.8.xml
index 1cf6539c6..2c1c192d4 100644
--- a/doc/apt-secure.8.xml
+++ b/doc/apt-secure.8.xml
@@ -13,7 +13,7 @@
    &apt-email;
    &apt-product;
    <!-- The last update date -->
-   <date>2015-10-15T00:00:00Z</date>
+   <date>2016-03-18T00:00:00Z</date>
  </refentryinfo>
 
  <refmeta>
@@ -48,22 +48,46 @@
    Starting with version 0.6, <command>APT</command> contains code that does
    signature checking of the Release file for all repositories. This ensures
    that data like packages in the archive can't be modified by people who
-   have no access to the Release file signing key.
+   have no access to the Release file signing key. Starting with version 1.1
+   <command>APT</command> requires repositories to provide recent authentication
+   information for unimpeded usage of the repository.
    </para>
 
    <para>
    If an archive has an unsigned Release file or no Release file at all
-   current APT versions will raise a warning in <command>update</command>
-   operations and front-ends like <command>apt-get</command> will require
-   explicit confirmation if an installation request includes a package from
-   such an unauthenticated archive.
+   current APT versions will refuse to download data from them by default
+   in <command>update</command> operations and even if forced to download
+   front-ends like &apt-get; will require explicit confirmation if an
+   installation request includes a package from such an unauthenticated
+   archive.
    </para>
 
    <para>
-   In the future APT will refuse to work with unauthenticated repositories by
-   default until support for them is removed entirely. Users have the option to
-   opt-in to this behavior already by setting the configuration option
-   <option>Acquire::AllowInsecureRepositories</option> to <literal>false</literal>.
+   As a temporary exception &apt-get; (not &apt;!) raises warnings only if it
+   encounters unauthenticated archives to give a slightly longer grace period
+   on this backward compatibility effecting change. This exception will be removed
+   in future releases and you can opt-out of this grace period by setting the
+   configuration option <option>Binary::apt-get::Acquire::AllowInsecureRepositories</option>
+   to <literal>false</literal> or <option>--no-allow-insecure-repositories</option>
+   on the command line.
+   </para>
+
+   <para>
+   You can force all APT clients to raise only warnings by setting the
+   configuration option <option>Acquire::AllowInsecureRepositories</option> to
+   <literal>true</literal>. Note that this option will eventually be removed.
+   Users also have the <option>Trusted</option> option available to disable
+   even the warnings, but be sure to understand the implications as detailed in
+   &sources-list;.
+   </para>
+
+   <para>
+   A repository which previously was authentication but would loose this state in
+   an <command>update</command> operation raises an error in all APT clients
+   irrespective of the option to allow or forbid usage of insecure repositories.
+   The error can be overcome by additionally setting
+   <option>Acquire::AllowDowngradeToInsecureRepositories</option>
+   to <literal>true</literal>.
    </para>
 
    <para>
diff --git a/doc/apt.conf.5.xml b/doc/apt.conf.5.xml
index d71f99c0a..015401605 100644
--- a/doc/apt.conf.5.xml
+++ b/doc/apt.conf.5.xml
@@ -650,27 +650,24 @@ APT::Compressor::rev {
 
      <varlistentry><term><option>AllowInsecureRepositories</option></term>
 	 <listitem><para>
-           Allow the update operation to load data files from
-           a repository without a trusted signature. If enabled this
-           option no data files will be loaded and the update
-           operation fails with a error for this source. The default
-           is false for backward compatibility. This will be changed
-           in the future.
+	   Allow update operations to load data files from
+	   repositories without sufficient security information.
+	   The default value is "<literal>false</literal>".
+	   Concept and implications of this are detailed in &apt-secure;.
 	 </para></listitem>
      </varlistentry>
 
      <varlistentry><term><option>AllowDowngradeToInsecureRepositories</option></term>
 	 <listitem><para>
-           Allow that a repository that was previously gpg signed to become
-           unsigned durign a update operation. When there is no valid signature
-           of a previously trusted repository apt will refuse the update. This
-           option can be used to override this protection. You almost certainly
-           never want to enable this. The default is false.
-
-           Note that apt will still consider packages from this source
-           untrusted and warn about them if you try to install
-           them.
-         </para></listitem>
+	   Allow that a repository that was previously gpg signed to become
+	   unsigned during an update operation. When there is no valid signature
+	   for a previously trusted repository apt will refuse the update. This
+	   option can be used to override this protection. You almost certainly
+	   never want to enable this. The default is <literal>false</literal>.
+
+	   Note that apt will still consider packages from this source
+	   untrusted and warns about them if you try to install them.
+	 </para></listitem>
      </varlistentry>
 
      <varlistentry><term><option>Changelogs::URI</option> scope</term>
author	David Kalnischkies <david@kalnischkies.de>	2016-03-18 14:46:24 +0100
committer	David Kalnischkies <david@kalnischkies.de>	2016-06-22 14:05:01 +0200
commit	952ee63b0af14a534c0aca00c11d1a99be6b22b2 (patch)
tree	098154a03b1616e00289074eda11d4bee72ead8c
parent	b1bdfe682054ea6fc202416968c5342d59b403b1 (diff)