diff options
author | David Kalnischkies <david@kalnischkies.de> | 2016-03-18 14:46:24 +0100 |
---|---|---|
committer | David Kalnischkies <david@kalnischkies.de> | 2016-06-22 14:05:01 +0200 |
commit | 952ee63b0af14a534c0aca00c11d1a99be6b22b2 (patch) | |
tree | 098154a03b1616e00289074eda11d4bee72ead8c /doc | |
parent | b1bdfe682054ea6fc202416968c5342d59b403b1 (diff) |
forbid insecure repositories by default expect in apt-get
With this commit all APT-based clients default to refusing to work with
unsigned or otherwise insufficently secured repositories. In terms of
apt and apt-get this changes nothing, but it effects all tools using
libapt like aptitude, synaptic or packagekit.
The exception remains apt-get for stretch for now as this might break
too many scripts/usecases too quickly.
The documentation is updated and extended to reflect how to opt out or
in on this behaviour change.
Closes: 808367
Diffstat (limited to 'doc')
-rw-r--r-- | doc/apt-get.8.xml | 5 | ||||
-rw-r--r-- | doc/apt-secure.8.xml | 44 | ||||
-rw-r--r-- | doc/apt.conf.5.xml | 29 |
3 files changed, 50 insertions, 28 deletions
diff --git a/doc/apt-get.8.xml b/doc/apt-get.8.xml index 20d761075..8fc6cc26d 100644 --- a/doc/apt-get.8.xml +++ b/doc/apt-get.8.xml @@ -563,8 +563,9 @@ <varlistentry><term><option>--no-allow-insecure-repositories</option></term> <listitem><para>Forbid the update command to acquire unverifiable - data from configured sources. Apt will fail at the update command - for repositories without valid cryptographically signatures. + data from configured sources. APT will fail at the update command + for repositories without valid cryptographically signatures. See + also &apt-secure; for details on the concept and the implications. Configuration Item: <literal>Acquire::AllowInsecureRepositories</literal>.</para></listitem> </varlistentry> diff --git a/doc/apt-secure.8.xml b/doc/apt-secure.8.xml index 1cf6539c6..2c1c192d4 100644 --- a/doc/apt-secure.8.xml +++ b/doc/apt-secure.8.xml @@ -13,7 +13,7 @@ &apt-email; &apt-product; <!-- The last update date --> - <date>2015-10-15T00:00:00Z</date> + <date>2016-03-18T00:00:00Z</date> </refentryinfo> <refmeta> @@ -48,22 +48,46 @@ Starting with version 0.6, <command>APT</command> contains code that does signature checking of the Release file for all repositories. This ensures that data like packages in the archive can't be modified by people who - have no access to the Release file signing key. + have no access to the Release file signing key. Starting with version 1.1 + <command>APT</command> requires repositories to provide recent authentication + information for unimpeded usage of the repository. </para> <para> If an archive has an unsigned Release file or no Release file at all - current APT versions will raise a warning in <command>update</command> - operations and front-ends like <command>apt-get</command> will require - explicit confirmation if an installation request includes a package from - such an unauthenticated archive. + current APT versions will refuse to download data from them by default + in <command>update</command> operations and even if forced to download + front-ends like &apt-get; will require explicit confirmation if an + installation request includes a package from such an unauthenticated + archive. </para> <para> - In the future APT will refuse to work with unauthenticated repositories by - default until support for them is removed entirely. Users have the option to - opt-in to this behavior already by setting the configuration option - <option>Acquire::AllowInsecureRepositories</option> to <literal>false</literal>. + As a temporary exception &apt-get; (not &apt;!) raises warnings only if it + encounters unauthenticated archives to give a slightly longer grace period + on this backward compatibility effecting change. This exception will be removed + in future releases and you can opt-out of this grace period by setting the + configuration option <option>Binary::apt-get::Acquire::AllowInsecureRepositories</option> + to <literal>false</literal> or <option>--no-allow-insecure-repositories</option> + on the command line. + </para> + + <para> + You can force all APT clients to raise only warnings by setting the + configuration option <option>Acquire::AllowInsecureRepositories</option> to + <literal>true</literal>. Note that this option will eventually be removed. + Users also have the <option>Trusted</option> option available to disable + even the warnings, but be sure to understand the implications as detailed in + &sources-list;. + </para> + + <para> + A repository which previously was authentication but would loose this state in + an <command>update</command> operation raises an error in all APT clients + irrespective of the option to allow or forbid usage of insecure repositories. + The error can be overcome by additionally setting + <option>Acquire::AllowDowngradeToInsecureRepositories</option> + to <literal>true</literal>. </para> <para> diff --git a/doc/apt.conf.5.xml b/doc/apt.conf.5.xml index d71f99c0a..015401605 100644 --- a/doc/apt.conf.5.xml +++ b/doc/apt.conf.5.xml @@ -650,27 +650,24 @@ APT::Compressor::rev { <varlistentry><term><option>AllowInsecureRepositories</option></term> <listitem><para> - Allow the update operation to load data files from - a repository without a trusted signature. If enabled this - option no data files will be loaded and the update - operation fails with a error for this source. The default - is false for backward compatibility. This will be changed - in the future. + Allow update operations to load data files from + repositories without sufficient security information. + The default value is "<literal>false</literal>". + Concept and implications of this are detailed in &apt-secure;. </para></listitem> </varlistentry> <varlistentry><term><option>AllowDowngradeToInsecureRepositories</option></term> <listitem><para> - Allow that a repository that was previously gpg signed to become - unsigned durign a update operation. When there is no valid signature - of a previously trusted repository apt will refuse the update. This - option can be used to override this protection. You almost certainly - never want to enable this. The default is false. - - Note that apt will still consider packages from this source - untrusted and warn about them if you try to install - them. - </para></listitem> + Allow that a repository that was previously gpg signed to become + unsigned during an update operation. When there is no valid signature + for a previously trusted repository apt will refuse the update. This + option can be used to override this protection. You almost certainly + never want to enable this. The default is <literal>false</literal>. + + Note that apt will still consider packages from this source + untrusted and warns about them if you try to install them. + </para></listitem> </varlistentry> <varlistentry><term><option>Changelogs::URI</option> scope</term> |