diff options
Diffstat (limited to 'doc/apt-secure.8.xml')
-rw-r--r-- | doc/apt-secure.8.xml | 52 |
1 files changed, 30 insertions, 22 deletions
diff --git a/doc/apt-secure.8.xml b/doc/apt-secure.8.xml index f1f63dae1..50f99d3c3 100644 --- a/doc/apt-secure.8.xml +++ b/doc/apt-secure.8.xml @@ -13,7 +13,7 @@ &apt-email; &apt-product; <!-- The last update date --> - <date>2016-08-06T00:00:00Z</date> + <date>2017-04-12T00:00:00Z</date> </refentryinfo> <refmeta> @@ -50,10 +50,20 @@ that data like packages in the archive can't be modified by people who have no access to the Release file signing key. Starting with version 1.1 <command>APT</command> requires repositories to provide recent authentication - information for unimpeded usage of the repository. + information for unimpeded usage of the repository. Since version 1.5 changes + in the information contained in the Release file about the repository need to be + confirmed before APT continues to apply updates from this repository. </para> <para> + Note: All APT-based package management front-ends like &apt-get;, &aptitude; + and &synaptic; support this authentication feature, so this manpage uses + <literal>APT</literal> to refer to them all for simplicity only. + </para> +</refsect1> + + <refsect1><title>Unsigned Repositories</title> + <para> If an archive has an unsigned Release file or no Release file at all current APT versions will refuse to download data from them by default in <command>update</command> operations and even if forced to download @@ -63,16 +73,6 @@ </para> <para> - As a temporary exception &apt-get; (not &apt;!) raises warnings only if it - encounters unauthenticated archives to give a slightly longer grace period - on this backward compatibility effecting change. This exception will be removed - in future releases and you can opt-out of this grace period by setting the - configuration option <option>Binary::apt-get::Acquire::AllowInsecureRepositories</option> - to <literal>false</literal> or <option>--no-allow-insecure-repositories</option> - on the command line. - </para> - - <para> You can force all APT clients to raise only warnings by setting the configuration option <option>Acquire::AllowInsecureRepositories</option> to <literal>true</literal>. Individual repositories can also be allowed to be insecure @@ -93,16 +93,9 @@ to <literal>true</literal> or for Individual repositories with the &sources-list; option <literal>allow-downgrade-to-insecure=yes</literal>. </para> - - <para> - Note: All APT-based package management front-ends like &apt-get;, &aptitude; - and &synaptic; support this authentication feature, so this manpage uses - <literal>APT</literal> to refer to them all for simplicity only. - </para> </refsect1> - <refsect1><title>Trusted Repositories</title> - + <refsect1><title>Signed Repositories</title> <para> The chain of trust from an APT archive to the end user is made up of several steps. <command>apt-secure</command> is the last step in @@ -172,7 +165,22 @@ this mechanism can complement a per-package signature.</para> </refsect1> - <refsect1><title>User Configuration</title> +<refsect1><title>Information changes</title> + <para> + A Release file contains beside the checksums for the files in the repository + also general information about the repository like the origin, codename or + version number of the release. + </para><para> + This information is shown in various places so a repository owner should always + ensure correctness. Further more user configuration like &apt-preferences; + can depend and make use of this information. Since version 1.5 the user must + therefore explicitly confirm changes to signal that the user is sufficiently + prepared e.g. for the new major release of the distribution shipped in the + repository (as e.g. indicated by the codename). + </para> +</refsect1> + +<refsect1><title>User Configuration</title> <para> <command>apt-key</command> is the program that manages the list of keys used by APT to trust repositories. It can be used to add or remove keys as well @@ -193,7 +201,7 @@ </para> </refsect1> -<refsect1><title>Archive Configuration</title> +<refsect1><title>Repository Configuration</title> <para> If you want to provide archive signatures in an archive under your maintenance you have to: |