Re: unsigned repositories
Hallo,
* Sam Hartman [Sun, Jul 14 2019, 02:07:55PM]:
> >>>>> "Eduard" == Eduard Bloch <[email protected]> writes:
>
> Eduard> Hallo, * Sam Hartman [Sun, Jul 14 2019, 08:46:18AM]:
> >> >>>>> "Julian" == Julian Andres Klode <[email protected]> writes:
> >>
> >> Please carefully consider uses of apt besides the system level
> >> apt running as root installing packages on the system.
> >>
> >> What about when I use the apt libraries to explore some
> >> repository and parse its packages files etc. Asking people to go
> >> set up the keys for some of these use cases seems like a lot of
> >> work.
>
> Eduard> IMHO this could and should be mitigated. I.e. give people a
> Eduard> tool they can work with without studying rocket science,
> Eduard> following the spirit of letsencrypt etc., which handles the
> Eduard> snakeoil key handling in a lazy way.
>
> Most of the repository generation tools these days do a fairly good job
> of signing the release file.
I am looking at this from the POV of a regular/lazy user. The next best
tool here is apt-ftparchive. Does it help you with signing? No. Does its
manpage even mention InRelease signing in any way? Not really.
Therefore, the critical voices in this thread are right - too early to
enforce strict signing.
> What I'm more worried about is configuring the client apt library in
> cases where you are using it for things other than the main apt instance
> on the system.
Understood, but what's the plan? Shouldn't this be another part of the
apt-secure manpage? Showing the user configuration examples for the few
main usecases?
Best regards,
Eduard.
Reply to: