From 954d30df8d8b0fb4fa203d09674a4fe1e990e55c Mon Sep 17 00:00:00 2001
From: Michael Vogt <mvo@ubuntu.com>
Date: Mon, 13 Oct 2014 09:39:25 +0200
Subject: Document
 Acquire{MaxReleaseFileSize,AllowInsecureRepositories,AllowDowngradeToInsecureRepositories}
 and --no-allow-insecure-repositories

Document the new options to restrict loading unauthenticated data
into our parsers.
---
 doc/apt-get.8.xml  |  8 ++++++++
 doc/apt.conf.5.xml | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/doc/apt-get.8.xml b/doc/apt-get.8.xml
index 80b3be639..a372a0d30 100644
--- a/doc/apt-get.8.xml
+++ b/doc/apt-get.8.xml
@@ -525,6 +525,14 @@
      Configuration Item: <literal>APT::Get::AllowUnauthenticated</literal>.</para></listitem>
      </varlistentry>
 
+     <varlistentry><term><option>--no-allow-insecure-repositories</option></term>
+     <listitem><para>Forbid the update command to acquire unverifiable
+     data from configured sources. Apt will fail at the update command
+     for repositories without valid cryptographically signatures.
+
+     Configuration Item: <literal>Acquire::AllowInsecureRepositories</literal>.</para></listitem>
+     </varlistentry>
+
      <varlistentry><term><option>--show-progress</option></term>
      <listitem><para>Show user friendly progress information in the
      terminal window when packages are installed, upgraded or
diff --git a/doc/apt.conf.5.xml b/doc/apt.conf.5.xml
index 0f98a6fe9..efe986ea8 100644
--- a/doc/apt.conf.5.xml
+++ b/doc/apt.conf.5.xml
@@ -586,6 +586,38 @@ DPkg::Pre-Install-Pkgs {"/usr/sbin/dpkg-preconfigure --apt";};
 	 </para></listitem>
      </varlistentry>
 
+     <varlistentry><term><option>MaxReleaseFileSize</option></term>
+	 <listitem><para>
+           The maximum file size of Release/Release.gpg/InRelease files.
+           The default is 10MB.
+	 </para></listitem>
+     </varlistentry>
+
+     <varlistentry><term><option>AllowInsecureRepositories</option></term>
+	 <listitem><para>
+           Allow the update operation to load data files from
+           a repository without a trusted signature. If enabled this
+           option no data files will be loaded and the update
+           operation fails with a error for this source. The default
+           is false for backward compatibility. This will be changed
+           in the future.
+	 </para></listitem>
+     </varlistentry>
+
+     <varlistentry><term><option>AllowDowngradeToInsecureRepositories</option></term>
+	 <listitem><para>
+           Allow that a repository that was previously gpg signed to become
+           unsigned durign a update operation. When there is no valid signature
+           of a perviously trusted repository apt will refuse the update. This
+           option can be used to override this protection. You almost certainly
+           never want to enable this. The default is false.
+
+           Note that apt will still consider packages from this source
+           untrusted and warn about them if you try to install
+           them.
+         </para></listitem>
+     </varlistentry>
+
    </variablelist>
  </refsect1>
 
-- 
cgit v1.2.3