diff options
-rw-r--r-- | apt-pkg/init.cc | 5 | ||||
-rw-r--r-- | apt-private/private-cmndline.cc | 25 | ||||
-rw-r--r-- | doc/apt-get.8.xml | 5 | ||||
-rw-r--r-- | doc/apt-secure.8.xml | 44 | ||||
-rw-r--r-- | doc/apt.conf.5.xml | 29 |
5 files changed, 68 insertions, 40 deletions
diff --git a/apt-pkg/init.cc b/apt-pkg/init.cc index a41d604d3..c77e8e2fe 100644 --- a/apt-pkg/init.cc +++ b/apt-pkg/init.cc @@ -86,10 +86,7 @@ bool pkgInitConfig(Configuration &Cnf) Cnf.Set("Dir::Ignore-Files-Silently::", "\\.distUpgrade$"); // Repository security - // FIXME: this is set to "true" for backward compatibility, once - // jessie is out we want to change this to "false" to - // improve security - Cnf.CndSet("Acquire::AllowInsecureRepositories", true); + Cnf.CndSet("Acquire::AllowInsecureRepositories", false); Cnf.CndSet("Acquire::AllowDowngradeToInsecureRepositories", false); // Default cdrom mount point diff --git a/apt-private/private-cmndline.cc b/apt-private/private-cmndline.cc index ba64c5b46..481c23c94 100644 --- a/apt-private/private-cmndline.cc +++ b/apt-private/private-cmndline.cc @@ -372,7 +372,6 @@ std::vector<CommandLine::Args> getCommandArgs(APT_CMD const Program, char const return Args; } /*}}}*/ -#undef CmdMatches #undef addArg static void ShowHelpListCommands(std::vector<aptDispatchWithHelp> const &Cmds)/*{{{*/ { @@ -445,15 +444,22 @@ static void BinarySpecificConfiguration(char const * const Binary) /*{{{*/ _config->CndSet("Binary::apt::APT::Get::Upgrade-Allow-New", true); _config->CndSet("Binary::apt::APT::Cmd::Show-Update-Stats", true); _config->CndSet("Binary::apt::DPkg::Progress-Fancy", true); - _config->CndSet("Binary::apt::Acquire::AllowInsecureRepositories", false); _config->CndSet("Binary::apt::APT::Keep-Downloaded-Packages", false); } + if (binary == "apt-config") + _config->CndSet("Binary::apt-get::Acquire::AllowInsecureRepositories", true); _config->Set("Binary", binary); - std::string const conf = "Binary::" + binary; - _config->MoveSubTree(conf.c_str(), NULL); } /*}}}*/ +static void BinaryCommandSpecificConfiguration(char const * const Binary, char const * const Cmd)/*{{{*/ +{ + std::string const binary = flNotDir(Binary); + if (binary == "apt-get" && CmdMatches("update")) + _config->CndSet("Binary::apt-get::Acquire::AllowInsecureRepositories", true); +} +#undef CmdMatches + /*}}}*/ std::vector<CommandLine::Dispatch> ParseCommandLine(CommandLine &CmdL, APT_CMD const Binary,/*{{{*/ Configuration * const * const Cnf, pkgSystem ** const Sys, int const argc, const char *argv[], bool (*ShowHelp)(CommandLine &), std::vector<aptDispatchWithHelp> (*GetCommands)(void)) @@ -481,11 +487,14 @@ std::vector<CommandLine::Dispatch> ParseCommandLine(CommandLine &CmdL, APT_CMD c // Args running out of scope invalidates the pointer stored in CmdL, // but we don't use the pointer after this function, so we ignore // this problem for now and figure something out if we have to. - std::vector<CommandLine::Args> Args; + char const * CmdCalled = nullptr; if (Cmds.empty() == false && Cmds[0].Handler != nullptr) - Args = getCommandArgs(Binary, CommandLine::GetCommand(Cmds.data(), argc, argv)); - else - Args = getCommandArgs(Binary, nullptr); + CmdCalled = CommandLine::GetCommand(Cmds.data(), argc, argv); + if (CmdCalled != nullptr) + BinaryCommandSpecificConfiguration(argv[0], CmdCalled); + std::string const conf = "Binary::" + _config->Find("Binary"); + _config->MoveSubTree(conf.c_str(), nullptr); + auto Args = getCommandArgs(Binary, CmdCalled); CmdL = CommandLine(Args.data(), _config); if (CmdL.Parse(argc,argv) == false || diff --git a/doc/apt-get.8.xml b/doc/apt-get.8.xml index 20d761075..8fc6cc26d 100644 --- a/doc/apt-get.8.xml +++ b/doc/apt-get.8.xml @@ -563,8 +563,9 @@ <varlistentry><term><option>--no-allow-insecure-repositories</option></term> <listitem><para>Forbid the update command to acquire unverifiable - data from configured sources. Apt will fail at the update command - for repositories without valid cryptographically signatures. + data from configured sources. APT will fail at the update command + for repositories without valid cryptographically signatures. See + also &apt-secure; for details on the concept and the implications. Configuration Item: <literal>Acquire::AllowInsecureRepositories</literal>.</para></listitem> </varlistentry> diff --git a/doc/apt-secure.8.xml b/doc/apt-secure.8.xml index 1cf6539c6..2c1c192d4 100644 --- a/doc/apt-secure.8.xml +++ b/doc/apt-secure.8.xml @@ -13,7 +13,7 @@ &apt-email; &apt-product; <!-- The last update date --> - <date>2015-10-15T00:00:00Z</date> + <date>2016-03-18T00:00:00Z</date> </refentryinfo> <refmeta> @@ -48,22 +48,46 @@ Starting with version 0.6, <command>APT</command> contains code that does signature checking of the Release file for all repositories. This ensures that data like packages in the archive can't be modified by people who - have no access to the Release file signing key. + have no access to the Release file signing key. Starting with version 1.1 + <command>APT</command> requires repositories to provide recent authentication + information for unimpeded usage of the repository. </para> <para> If an archive has an unsigned Release file or no Release file at all - current APT versions will raise a warning in <command>update</command> - operations and front-ends like <command>apt-get</command> will require - explicit confirmation if an installation request includes a package from - such an unauthenticated archive. + current APT versions will refuse to download data from them by default + in <command>update</command> operations and even if forced to download + front-ends like &apt-get; will require explicit confirmation if an + installation request includes a package from such an unauthenticated + archive. </para> <para> - In the future APT will refuse to work with unauthenticated repositories by - default until support for them is removed entirely. Users have the option to - opt-in to this behavior already by setting the configuration option - <option>Acquire::AllowInsecureRepositories</option> to <literal>false</literal>. + As a temporary exception &apt-get; (not &apt;!) raises warnings only if it + encounters unauthenticated archives to give a slightly longer grace period + on this backward compatibility effecting change. This exception will be removed + in future releases and you can opt-out of this grace period by setting the + configuration option <option>Binary::apt-get::Acquire::AllowInsecureRepositories</option> + to <literal>false</literal> or <option>--no-allow-insecure-repositories</option> + on the command line. + </para> + + <para> + You can force all APT clients to raise only warnings by setting the + configuration option <option>Acquire::AllowInsecureRepositories</option> to + <literal>true</literal>. Note that this option will eventually be removed. + Users also have the <option>Trusted</option> option available to disable + even the warnings, but be sure to understand the implications as detailed in + &sources-list;. + </para> + + <para> + A repository which previously was authentication but would loose this state in + an <command>update</command> operation raises an error in all APT clients + irrespective of the option to allow or forbid usage of insecure repositories. + The error can be overcome by additionally setting + <option>Acquire::AllowDowngradeToInsecureRepositories</option> + to <literal>true</literal>. </para> <para> diff --git a/doc/apt.conf.5.xml b/doc/apt.conf.5.xml index d71f99c0a..015401605 100644 --- a/doc/apt.conf.5.xml +++ b/doc/apt.conf.5.xml @@ -650,27 +650,24 @@ APT::Compressor::rev { <varlistentry><term><option>AllowInsecureRepositories</option></term> <listitem><para> - Allow the update operation to load data files from - a repository without a trusted signature. If enabled this - option no data files will be loaded and the update - operation fails with a error for this source. The default - is false for backward compatibility. This will be changed - in the future. + Allow update operations to load data files from + repositories without sufficient security information. + The default value is "<literal>false</literal>". + Concept and implications of this are detailed in &apt-secure;. </para></listitem> </varlistentry> <varlistentry><term><option>AllowDowngradeToInsecureRepositories</option></term> <listitem><para> - Allow that a repository that was previously gpg signed to become - unsigned durign a update operation. When there is no valid signature - of a previously trusted repository apt will refuse the update. This - option can be used to override this protection. You almost certainly - never want to enable this. The default is false. - - Note that apt will still consider packages from this source - untrusted and warn about them if you try to install - them. - </para></listitem> + Allow that a repository that was previously gpg signed to become + unsigned during an update operation. When there is no valid signature + for a previously trusted repository apt will refuse the update. This + option can be used to override this protection. You almost certainly + never want to enable this. The default is <literal>false</literal>. + + Note that apt will still consider packages from this source + untrusted and warns about them if you try to install them. + </para></listitem> </varlistentry> <varlistentry><term><option>Changelogs::URI</option> scope</term> |