Use Acquire::Allow{InsecureRepositories,DowngradeToInsecureRepositories}

The configuration key Acquire::AllowInsecureRepositories controls if
apt allows loading of unsigned repositories at all.

The configuration Acquire::AllowDowngradeToInsecureRepositories
controls if a signed repository can ever become unsigned. This
should really never be needed but we provide it to avoid having
to mess around in /var/lib/apt/lists if there is a use-case for
this (which I can't think of right now).

2 files changed, 28 insertions, 11 deletions

diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 4a684f40c..93ba098ee 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -1629,14 +1629,27 @@ void pkgAcqMetaSig::Failed(string Message,pkgAcquire::MethodConfig *Cnf)/*{{{*/
                                          "InRelease");
    string FinalInRelease = _config->FindDir("Dir::State::lists") + URItoFileName(InReleaseURI);
 
-   if(RealFileExists(Final) || RealFileExists(FinalInRelease))
+   if (RealFileExists(Final) || RealFileExists(FinalInRelease))
    {
-      _error->Error("The repository '%s' is no longer signed.",
-                    URIDesc.c_str());
-      Rename(MetaIndexFile, MetaIndexFile+".FAILED");
-      Status = pkgAcquire::Item::StatError;
-      TransactionManager->AbortTransaction();
-      return;
+      std::string downgrade_msg;
+      strprintf(downgrade_msg, _("The repository '%s' is no longer signed."),
+                URIDesc.c_str());
+      if(_config->FindB("Acquire::AllowDowngradeToInsecureRepositories"))
+      {
+         // meh, the users wants to take risks (we still mark the packages
+         // from this repository as unauthenticated)
+         _error->Warning("%s", downgrade_msg.c_str());
+         _error->Warning(_("This is normally not allowed, but the option "
+                           "Acquire::AllowDowngradeToInsecureRepositories was "
+                           "given to override it."));
+         
+      } else {
+         _error->Error("%s", downgrade_msg.c_str());
+         Rename(MetaIndexFile, MetaIndexFile+".FAILED");
+         Status = pkgAcquire::Item::StatError;
+         TransactionManager->AbortTransaction();
+         return;
+      }
    }
 
    // this ensures that any file in the lists/ dir is removed by the
@@ -1654,7 +1667,7 @@ void pkgAcqMetaSig::Failed(string Message,pkgAcquire::MethodConfig *Cnf)/*{{{*/
    }
 
    // only allow going further if the users explicitely wants it
-   if(_config->FindB("APT::Get::AllowUnauthenticated", false) == true)
+   if(_config->FindB("Acquire::AllowInsecureRepositories") == true)
    {
       // we parse the indexes here because at this point the user wanted
       // a repository that may potentially harm him
@@ -1663,7 +1676,7 @@ void pkgAcqMetaSig::Failed(string Message,pkgAcquire::MethodConfig *Cnf)/*{{{*/
    } 
    else 
    {
-      _error->Warning("Use --allow-unauthenticated to force the update");
+      _error->Warning("Use --allow-insecure-repositories to force the update");
    }
 
    // FIXME: this is used often (e.g. in pkgAcqIndexTrans) so refactor
@@ -2123,12 +2136,12 @@ void pkgAcqMetaIndex::Failed(string Message,
    // No Release file was present, or verification failed, so fall
    // back to queueing Packages files without verification
    // only allow going further if the users explicitely wants it
-   if(_config->FindB("APT::Get::AllowUnauthenticated", false) == true)
+   if(_config->FindB("Acquire::AllowInsecureRepositories") == true)
    {
       QueueIndexes(false);
    } else {
       // warn if the repository is unsinged
-      _error->Warning("Use --allow-unauthenticated to force the update");
+      _error->Warning("Use --allow-insecure-repositories to force the update");
    } 
 }
 									/*}}}*/
diff --git a/apt-pkg/init.cc b/apt-pkg/init.cc
index 241628632..82dff4ee8 100644
--- a/apt-pkg/init.cc
+++ b/apt-pkg/init.cc
@@ -88,6 +88,10 @@ bool pkgInitConfig(Configuration &Cnf)
    Cnf.Set("Dir::Ignore-Files-Silently::", "\\.orig$");
    Cnf.Set("Dir::Ignore-Files-Silently::", "\\.distUpgrade$");
 
+   // Repository security
+   Cnf.CndSet("Acquire::AllowInsecureRepositories", false);
+   Cnf.CndSet("Acquire::AllowDowngradeToInsecureRepositories", false);
+
    // Default cdrom mount point
    Cnf.CndSet("Acquire::cdrom::mount", "/media/cdrom/");