summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorDavid Kalnischkies <david@kalnischkies.de>2016-03-18 14:46:24 +0100
committerDavid Kalnischkies <david@kalnischkies.de>2016-06-22 14:05:01 +0200
commit952ee63b0af14a534c0aca00c11d1a99be6b22b2 (patch)
tree098154a03b1616e00289074eda11d4bee72ead8c /doc
parentb1bdfe682054ea6fc202416968c5342d59b403b1 (diff)
forbid insecure repositories by default expect in apt-get
With this commit all APT-based clients default to refusing to work with unsigned or otherwise insufficently secured repositories. In terms of apt and apt-get this changes nothing, but it effects all tools using libapt like aptitude, synaptic or packagekit. The exception remains apt-get for stretch for now as this might break too many scripts/usecases too quickly. The documentation is updated and extended to reflect how to opt out or in on this behaviour change. Closes: 808367
Diffstat (limited to 'doc')
-rw-r--r--doc/apt-get.8.xml5
-rw-r--r--doc/apt-secure.8.xml44
-rw-r--r--doc/apt.conf.5.xml29
3 files changed, 50 insertions, 28 deletions
diff --git a/doc/apt-get.8.xml b/doc/apt-get.8.xml
index 20d761075..8fc6cc26d 100644
--- a/doc/apt-get.8.xml
+++ b/doc/apt-get.8.xml
@@ -563,8 +563,9 @@
<varlistentry><term><option>--no-allow-insecure-repositories</option></term>
<listitem><para>Forbid the update command to acquire unverifiable
- data from configured sources. Apt will fail at the update command
- for repositories without valid cryptographically signatures.
+ data from configured sources. APT will fail at the update command
+ for repositories without valid cryptographically signatures. See
+ also &apt-secure; for details on the concept and the implications.
Configuration Item: <literal>Acquire::AllowInsecureRepositories</literal>.</para></listitem>
</varlistentry>
diff --git a/doc/apt-secure.8.xml b/doc/apt-secure.8.xml
index 1cf6539c6..2c1c192d4 100644
--- a/doc/apt-secure.8.xml
+++ b/doc/apt-secure.8.xml
@@ -13,7 +13,7 @@
&apt-email;
&apt-product;
<!-- The last update date -->
- <date>2015-10-15T00:00:00Z</date>
+ <date>2016-03-18T00:00:00Z</date>
</refentryinfo>
<refmeta>
@@ -48,22 +48,46 @@
Starting with version 0.6, <command>APT</command> contains code that does
signature checking of the Release file for all repositories. This ensures
that data like packages in the archive can't be modified by people who
- have no access to the Release file signing key.
+ have no access to the Release file signing key. Starting with version 1.1
+ <command>APT</command> requires repositories to provide recent authentication
+ information for unimpeded usage of the repository.
</para>
<para>
If an archive has an unsigned Release file or no Release file at all
- current APT versions will raise a warning in <command>update</command>
- operations and front-ends like <command>apt-get</command> will require
- explicit confirmation if an installation request includes a package from
- such an unauthenticated archive.
+ current APT versions will refuse to download data from them by default
+ in <command>update</command> operations and even if forced to download
+ front-ends like &apt-get; will require explicit confirmation if an
+ installation request includes a package from such an unauthenticated
+ archive.
</para>
<para>
- In the future APT will refuse to work with unauthenticated repositories by
- default until support for them is removed entirely. Users have the option to
- opt-in to this behavior already by setting the configuration option
- <option>Acquire::AllowInsecureRepositories</option> to <literal>false</literal>.
+ As a temporary exception &apt-get; (not &apt;!) raises warnings only if it
+ encounters unauthenticated archives to give a slightly longer grace period
+ on this backward compatibility effecting change. This exception will be removed
+ in future releases and you can opt-out of this grace period by setting the
+ configuration option <option>Binary::apt-get::Acquire::AllowInsecureRepositories</option>
+ to <literal>false</literal> or <option>--no-allow-insecure-repositories</option>
+ on the command line.
+ </para>
+
+ <para>
+ You can force all APT clients to raise only warnings by setting the
+ configuration option <option>Acquire::AllowInsecureRepositories</option> to
+ <literal>true</literal>. Note that this option will eventually be removed.
+ Users also have the <option>Trusted</option> option available to disable
+ even the warnings, but be sure to understand the implications as detailed in
+ &sources-list;.
+ </para>
+
+ <para>
+ A repository which previously was authentication but would loose this state in
+ an <command>update</command> operation raises an error in all APT clients
+ irrespective of the option to allow or forbid usage of insecure repositories.
+ The error can be overcome by additionally setting
+ <option>Acquire::AllowDowngradeToInsecureRepositories</option>
+ to <literal>true</literal>.
</para>
<para>
diff --git a/doc/apt.conf.5.xml b/doc/apt.conf.5.xml
index d71f99c0a..015401605 100644
--- a/doc/apt.conf.5.xml
+++ b/doc/apt.conf.5.xml
@@ -650,27 +650,24 @@ APT::Compressor::rev {
<varlistentry><term><option>AllowInsecureRepositories</option></term>
<listitem><para>
- Allow the update operation to load data files from
- a repository without a trusted signature. If enabled this
- option no data files will be loaded and the update
- operation fails with a error for this source. The default
- is false for backward compatibility. This will be changed
- in the future.
+ Allow update operations to load data files from
+ repositories without sufficient security information.
+ The default value is "<literal>false</literal>".
+ Concept and implications of this are detailed in &apt-secure;.
</para></listitem>
</varlistentry>
<varlistentry><term><option>AllowDowngradeToInsecureRepositories</option></term>
<listitem><para>
- Allow that a repository that was previously gpg signed to become
- unsigned durign a update operation. When there is no valid signature
- of a previously trusted repository apt will refuse the update. This
- option can be used to override this protection. You almost certainly
- never want to enable this. The default is false.
-
- Note that apt will still consider packages from this source
- untrusted and warn about them if you try to install
- them.
- </para></listitem>
+ Allow that a repository that was previously gpg signed to become
+ unsigned during an update operation. When there is no valid signature
+ for a previously trusted repository apt will refuse the update. This
+ option can be used to override this protection. You almost certainly
+ never want to enable this. The default is <literal>false</literal>.
+
+ Note that apt will still consider packages from this source
+ untrusted and warns about them if you try to install them.
+ </para></listitem>
</varlistentry>
<varlistentry><term><option>Changelogs::URI</option> scope</term>