Your message dated Tue, 4 Sep 2018 09:38:55 +0200 with message-id <[email protected]> and subject line Re: Bug#907916: apt-secure: apt-secure should ignore local file: based repository not having a Release file has caused the Debian Bug report #907916, regarding apt-secure: apt-secure should ignore local file: based repository not having a Release file to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 907916: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907916 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: apt Version: 1.4.8 Severity: normal File: apt-secure I have a file: based repository: deb file:/ usr/src/deb/ But apt-get update complains: W: The repository 'file: usr/src/deb/ Release' does not have a Release file. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. N: See apt-secure(8) manpage for repository creation and user configuration details. This is excessive. A local file based repository is not dangerous to use just because it doesn't have a Release file. Adding a release file will in no way secure it - anyone with access to change anything, can also change the Release file. -Ariel -- System Information: Debian Release: 9.5 APT prefers stable APT policy: (990, 'stable') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 4.9.110 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apt depends on: ii adduser 3.115 ii debian-archive-keyring 2017.5 ii gpgv 2.1.18-8~deb9u2 ii init-system-helpers 1.48 ii libapt-pkg5.0 1.4.8 ii libc6 2.24-11+deb9u3 ii libgcc1 1:6.3.0-18+deb9u1 ii libstdc++6 6.3.0-18+deb9u1 Versions of packages apt recommends: ii gnupg 2.1.18-8~deb9u2 ii gnupg2 2.1.18-8~deb9u2 Versions of packages apt suggests: pn apt-doc <none> ii aptitude 0.8.7-1 ii dpkg-dev 1.18.25 ii powermgmt-base 1.31+nmu1 ii python-apt 1.4.0~beta3 ii synaptic 0.84.2 -- no debconf information
--- End Message ---
--- Begin Message ---On Tue, Sep 04, 2018 at 12:03:10AM -0400, Ariel wrote: > Package: apt > Version: 1.4.8 > Severity: normal > File: apt-secure > > I have a file: based repository: > deb file:/ usr/src/deb/ > > But apt-get update complains: > > W: The repository 'file: usr/src/deb/ Release' does not have a Release file. > N: Data from such a repository can't be authenticated and is therefore > potentially dangerous to use. > N: See apt-secure(8) manpage for repository creation and user configuration > details. > > This is excessive. A local file based repository is not dangerous to use just > because it doesn't have a Release file. > > Adding a release file will in no way secure it - anyone with access to change > anything, can also change the Release file. > Requiring a (In)Release file _always_ makes sense, as it tells apt which files are available in the repository. Without it, things get very noisy, as apt tries to download all kinds of indexes that don't exist. With regards to signing the release file, being explicit about trust is a good thing. A file:/ url might be a remote location mounted locally via NFS or other network file systems. If you are certain that the source is always trustworthy, tell apt that by setting [trusted=yes] in the sources.list file. In summary, file:/ is no different from other url, disabling security checks there opens up a security hole (duh), and there's an easy workaround: This is not a bug. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
--- End Message ---
