Your message dated Fri, 14 Aug 2015 10:57:50 +0200 with message-id <20150814085750.GA18019@crossbow> and subject line Re: does not state domain of unauthenticated/unsigned packages has caused the Debian Bug report #678990, regarding does not state URL of unauthenticated/unsigned packages to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 678990: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678990 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: apt Version: 0.9.5.1 I am testing code on the debian-testing-i386-DVD-1.iso, as it was on 2012 06 11. I gave the command: apt-get install ttf-dejavu . It output some info, including " The following NEW packages will be installed: ttf-dejavu ttf-dejavu-extra " It did not state where it would obtain these packages from. It asked me whether to proceed. I answered "y". It replied " WARNING: The following packages cannot be authenticated! ttf-dejavu-extra ttf-dejavu Install these packages without verification [y/N]?" I would prefer that it tell me where these packages will come from, if I were to ask it to proceed. I would like it to tell me BEFORE I ask it to proceed. If it will obtain the packages from my hard disk or from a local CR-ROM, then I can make a decision. But if these packages are to come over the Internet, then I require a valid signature, before proceeding. Please alter apt-get to give the user/sys-admin this necessary information BEFORE he decides whether to proceed with the install. This will become more important when it becomes common-place to install over Wi-Fi, using Wi-Fi 'hotspots'. I had edited /etc/apt/sources.list, it contains: deb file:///media/cdrom0/ wheezy contrib main . Best regards Richard Betham
--- End Message ---
--- Begin Message ---Hi On Mon, Jun 25, 2012 at 05:41:05PM +0100, Richard Betham wrote: > On second thoughts: > When a lot of packages are asked for, it would be better if apt were > to state the domain names (and perhaps the dist names) of the > unsigned-for packages. > This would serve my purposes adequately, provided that the > information is available before I decide to proceed with installaion > of unsigned packages. sources which you trust even through they have no signature can be marked as trusted=yes nowadays (as documented in sources.list manpage). So local sources/cdrom can be marked this way. Other sources not marked as such will generate this big warning, which is always bad, regardless of the source they come from as ftp.example.org isn't inherently more trustable than ftp2.example.org. In fact, given that they provide unauthenticated packages is a hint that something is very very fishy, regardless of the exact source, but splitting it by source suggests that there is a difference and one of them could somehow be more trusted than the other. Also, an unexperienced user might see big names here thinking "okay, that is probably okay" while actually an attack was performed on him hiding under this name (see man-in-the-middle). So, longer output & potential for dangerous misunderstandings – I don't think we should not do this and hence I am closing as wontfix. Best regards David Kalnischkiessignature.asc
Description: Digital signature
--- End Message ---