summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--apt-pkg/init.cc5
-rw-r--r--apt-private/private-cmndline.cc25
-rw-r--r--doc/apt-get.8.xml5
-rw-r--r--doc/apt-secure.8.xml44
-rw-r--r--doc/apt.conf.5.xml29
5 files changed, 68 insertions, 40 deletions
diff --git a/apt-pkg/init.cc b/apt-pkg/init.cc
index a41d604d3..c77e8e2fe 100644
--- a/apt-pkg/init.cc
+++ b/apt-pkg/init.cc
@@ -86,10 +86,7 @@ bool pkgInitConfig(Configuration &Cnf)
Cnf.Set("Dir::Ignore-Files-Silently::", "\\.distUpgrade$");
// Repository security
- // FIXME: this is set to "true" for backward compatibility, once
- // jessie is out we want to change this to "false" to
- // improve security
- Cnf.CndSet("Acquire::AllowInsecureRepositories", true);
+ Cnf.CndSet("Acquire::AllowInsecureRepositories", false);
Cnf.CndSet("Acquire::AllowDowngradeToInsecureRepositories", false);
// Default cdrom mount point
diff --git a/apt-private/private-cmndline.cc b/apt-private/private-cmndline.cc
index ba64c5b46..481c23c94 100644
--- a/apt-private/private-cmndline.cc
+++ b/apt-private/private-cmndline.cc
@@ -372,7 +372,6 @@ std::vector<CommandLine::Args> getCommandArgs(APT_CMD const Program, char const
return Args;
}
/*}}}*/
-#undef CmdMatches
#undef addArg
static void ShowHelpListCommands(std::vector<aptDispatchWithHelp> const &Cmds)/*{{{*/
{
@@ -445,15 +444,22 @@ static void BinarySpecificConfiguration(char const * const Binary) /*{{{*/
_config->CndSet("Binary::apt::APT::Get::Upgrade-Allow-New", true);
_config->CndSet("Binary::apt::APT::Cmd::Show-Update-Stats", true);
_config->CndSet("Binary::apt::DPkg::Progress-Fancy", true);
- _config->CndSet("Binary::apt::Acquire::AllowInsecureRepositories", false);
_config->CndSet("Binary::apt::APT::Keep-Downloaded-Packages", false);
}
+ if (binary == "apt-config")
+ _config->CndSet("Binary::apt-get::Acquire::AllowInsecureRepositories", true);
_config->Set("Binary", binary);
- std::string const conf = "Binary::" + binary;
- _config->MoveSubTree(conf.c_str(), NULL);
}
/*}}}*/
+static void BinaryCommandSpecificConfiguration(char const * const Binary, char const * const Cmd)/*{{{*/
+{
+ std::string const binary = flNotDir(Binary);
+ if (binary == "apt-get" && CmdMatches("update"))
+ _config->CndSet("Binary::apt-get::Acquire::AllowInsecureRepositories", true);
+}
+#undef CmdMatches
+ /*}}}*/
std::vector<CommandLine::Dispatch> ParseCommandLine(CommandLine &CmdL, APT_CMD const Binary,/*{{{*/
Configuration * const * const Cnf, pkgSystem ** const Sys, int const argc, const char *argv[],
bool (*ShowHelp)(CommandLine &), std::vector<aptDispatchWithHelp> (*GetCommands)(void))
@@ -481,11 +487,14 @@ std::vector<CommandLine::Dispatch> ParseCommandLine(CommandLine &CmdL, APT_CMD c
// Args running out of scope invalidates the pointer stored in CmdL,
// but we don't use the pointer after this function, so we ignore
// this problem for now and figure something out if we have to.
- std::vector<CommandLine::Args> Args;
+ char const * CmdCalled = nullptr;
if (Cmds.empty() == false && Cmds[0].Handler != nullptr)
- Args = getCommandArgs(Binary, CommandLine::GetCommand(Cmds.data(), argc, argv));
- else
- Args = getCommandArgs(Binary, nullptr);
+ CmdCalled = CommandLine::GetCommand(Cmds.data(), argc, argv);
+ if (CmdCalled != nullptr)
+ BinaryCommandSpecificConfiguration(argv[0], CmdCalled);
+ std::string const conf = "Binary::" + _config->Find("Binary");
+ _config->MoveSubTree(conf.c_str(), nullptr);
+ auto Args = getCommandArgs(Binary, CmdCalled);
CmdL = CommandLine(Args.data(), _config);
if (CmdL.Parse(argc,argv) == false ||
diff --git a/doc/apt-get.8.xml b/doc/apt-get.8.xml
index 20d761075..8fc6cc26d 100644
--- a/doc/apt-get.8.xml
+++ b/doc/apt-get.8.xml
@@ -563,8 +563,9 @@
<varlistentry><term><option>--no-allow-insecure-repositories</option></term>
<listitem><para>Forbid the update command to acquire unverifiable
- data from configured sources. Apt will fail at the update command
- for repositories without valid cryptographically signatures.
+ data from configured sources. APT will fail at the update command
+ for repositories without valid cryptographically signatures. See
+ also &apt-secure; for details on the concept and the implications.
Configuration Item: <literal>Acquire::AllowInsecureRepositories</literal>.</para></listitem>
</varlistentry>
diff --git a/doc/apt-secure.8.xml b/doc/apt-secure.8.xml
index 1cf6539c6..2c1c192d4 100644
--- a/doc/apt-secure.8.xml
+++ b/doc/apt-secure.8.xml
@@ -13,7 +13,7 @@
&apt-email;
&apt-product;
<!-- The last update date -->
- <date>2015-10-15T00:00:00Z</date>
+ <date>2016-03-18T00:00:00Z</date>
</refentryinfo>
<refmeta>
@@ -48,22 +48,46 @@
Starting with version 0.6, <command>APT</command> contains code that does
signature checking of the Release file for all repositories. This ensures
that data like packages in the archive can't be modified by people who
- have no access to the Release file signing key.
+ have no access to the Release file signing key. Starting with version 1.1
+ <command>APT</command> requires repositories to provide recent authentication
+ information for unimpeded usage of the repository.
</para>
<para>
If an archive has an unsigned Release file or no Release file at all
- current APT versions will raise a warning in <command>update</command>
- operations and front-ends like <command>apt-get</command> will require
- explicit confirmation if an installation request includes a package from
- such an unauthenticated archive.
+ current APT versions will refuse to download data from them by default
+ in <command>update</command> operations and even if forced to download
+ front-ends like &apt-get; will require explicit confirmation if an
+ installation request includes a package from such an unauthenticated
+ archive.
</para>
<para>
- In the future APT will refuse to work with unauthenticated repositories by
- default until support for them is removed entirely. Users have the option to
- opt-in to this behavior already by setting the configuration option
- <option>Acquire::AllowInsecureRepositories</option> to <literal>false</literal>.
+ As a temporary exception &apt-get; (not &apt;!) raises warnings only if it
+ encounters unauthenticated archives to give a slightly longer grace period
+ on this backward compatibility effecting change. This exception will be removed
+ in future releases and you can opt-out of this grace period by setting the
+ configuration option <option>Binary::apt-get::Acquire::AllowInsecureRepositories</option>
+ to <literal>false</literal> or <option>--no-allow-insecure-repositories</option>
+ on the command line.
+ </para>
+
+ <para>
+ You can force all APT clients to raise only warnings by setting the
+ configuration option <option>Acquire::AllowInsecureRepositories</option> to
+ <literal>true</literal>. Note that this option will eventually be removed.
+ Users also have the <option>Trusted</option> option available to disable
+ even the warnings, but be sure to understand the implications as detailed in
+ &sources-list;.
+ </para>
+
+ <para>
+ A repository which previously was authentication but would loose this state in
+ an <command>update</command> operation raises an error in all APT clients
+ irrespective of the option to allow or forbid usage of insecure repositories.
+ The error can be overcome by additionally setting
+ <option>Acquire::AllowDowngradeToInsecureRepositories</option>
+ to <literal>true</literal>.
</para>
<para>
diff --git a/doc/apt.conf.5.xml b/doc/apt.conf.5.xml
index d71f99c0a..015401605 100644
--- a/doc/apt.conf.5.xml
+++ b/doc/apt.conf.5.xml
@@ -650,27 +650,24 @@ APT::Compressor::rev {
<varlistentry><term><option>AllowInsecureRepositories</option></term>
<listitem><para>
- Allow the update operation to load data files from
- a repository without a trusted signature. If enabled this
- option no data files will be loaded and the update
- operation fails with a error for this source. The default
- is false for backward compatibility. This will be changed
- in the future.
+ Allow update operations to load data files from
+ repositories without sufficient security information.
+ The default value is "<literal>false</literal>".
+ Concept and implications of this are detailed in &apt-secure;.
</para></listitem>
</varlistentry>
<varlistentry><term><option>AllowDowngradeToInsecureRepositories</option></term>
<listitem><para>
- Allow that a repository that was previously gpg signed to become
- unsigned durign a update operation. When there is no valid signature
- of a previously trusted repository apt will refuse the update. This
- option can be used to override this protection. You almost certainly
- never want to enable this. The default is false.
-
- Note that apt will still consider packages from this source
- untrusted and warn about them if you try to install
- them.
- </para></listitem>
+ Allow that a repository that was previously gpg signed to become
+ unsigned during an update operation. When there is no valid signature
+ for a previously trusted repository apt will refuse the update. This
+ option can be used to override this protection. You almost certainly
+ never want to enable this. The default is <literal>false</literal>.
+
+ Note that apt will still consider packages from this source
+ untrusted and warns about them if you try to install them.
+ </para></listitem>
</varlistentry>
<varlistentry><term><option>Changelogs::URI</option> scope</term>