Bug#389646: apt should try to import a key if a package was signed by a unknown key
Rober Morales <[EMAIL PROTECTED]> writes: >> > It'll reduce the security of machine since won't make difference if >> > the key is or not know before you upgrade or install a package. >> >> Agreed; an idea might be to import the key to some "untrusted" keyring, >> and allow the user to add it to the "trusted" list after giving some >> stern lecture why you shouldn't trust anyone. >> > > APT already continue with the install/upgrade if the user answer "Yes" to the > warning question. > > The new feature I want is to make possible the fact that apt can, /with/ the > user confirmation, import the key the package is signed with: > > WARNING: The key 0BDCE is not known: Install anyway? Yes/[No]: > Yes > > WARNING: Do you want APT import the key to your keyring now? Yes/[No]: > Yes I see your point but I still think that shouldn't be too easy to someone to add a key on the trusted keyring otherwise most of people will just start to do that too much. Besides, as Simon said, would be good to warn the user why this is dangerous and why he/she should avoid to use non-official packages. I personally see why you would like to have it but I don't think the price that we might pay is enough... :( -- O T A V I OS A L V A D O R - E-mail: [EMAIL PROTECTED] UIN: 5906116 GNU/Linux User: 239058 GPG ID: 49A5F855 Home Page: http://www.freedom.ind.br/otavio - "Microsoft gives you Windows ... Linux gives you the whole house." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#389646: apt should try to import a key if a package was signed by a unknown key
> > It'll reduce the security of machine since won't make difference if > > the key is or not know before you upgrade or install a package. > > Agreed; an idea might be to import the key to some "untrusted" keyring, > and allow the user to add it to the "trusted" list after giving some > stern lecture why you shouldn't trust anyone. > APT already continue with the install/upgrade if the user answer "Yes" to the warning question. The new feature I want is to make possible the fact that apt can, /with/ the user confirmation, import the key the package is signed with: WARNING: The key 0BDCE is not known: Install anyway? Yes/[No]: Yes WARNING: Do you want APT import the key to your keyring now? Yes/[No]: Yes TIA! Regards, Rober Morales-Chaparro -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#389646: apt should try to import a key if a package was signed by a unknown key
Otavio, > It'll reduce the security of machine since won't make difference if > the key is or not know before you upgrade or install a package. Agreed; an idea might be to import the key to some "untrusted" keyring, and allow the user to add it to the "trusted" list after giving some stern lecture why you shouldn't trust anyone. Simon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#389646: apt should try to import a key if a package was signed by a unknown key
tag 389646 + wontfix thanks Rober Morales-Chaparro <[EMAIL PROTECTED]> writes: > Package: apt > Version: 0.6.45 > Severity: minor > > Instead of showing a warning message when apt does not know the key, apt > cat try to execute (with or without the user confirmation?): > > #!/bin/bash > KEY=$1 > > gpg --keyserver subkeys.pgp.net --recv $KEY > gpg --export --armor $KEY | apt-key add - It'll reduce the security of machine since won't make difference if the key is or not know before you upgrade or install a package. IMO that makes APT security feature useless hence, wontfix. -- O T A V I OS A L V A D O R - E-mail: [EMAIL PROTECTED] UIN: 5906116 GNU/Linux User: 239058 GPG ID: 49A5F855 Home Page: http://www.freedom.ind.br/otavio - "Microsoft gives you Windows ... Linux gives you the whole house." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#389646: apt should try to import a key if a package was signed by a unknown key
Package: apt Version: 0.6.45 Severity: minor Instead of showing a warning message when apt does not know the key, apt cat try to execute (with or without the user confirmation?): #!/bin/bash KEY=$1 gpg --keyserver subkeys.pgp.net --recv $KEY gpg --export --armor $KEY | apt-key add - TIA! -- Package-specific info: -- apt-config dump -- APT ""; APT::Architecture "i386"; APT::Build-Essential ""; APT::Build-Essential:: "build-essential"; APT::Cache-Limit "92582912"; Dir "/"; Dir::State "var/lib/apt/"; Dir::State::lists "lists/"; Dir::State::cdroms "cdroms.list"; Dir::State::userstatus "status.user"; Dir::State::status "/var/lib/dpkg/status"; Dir::Cache "var/cache/apt/"; Dir::Cache::archives "archives/"; Dir::Cache::srcpkgcache "srcpkgcache.bin"; Dir::Cache::pkgcache "pkgcache.bin"; Dir::Etc "etc/apt/"; Dir::Etc::sourcelist "sources.list"; Dir::Etc::sourceparts "sources.list.d"; Dir::Etc::vendorlist "vendors.list"; Dir::Etc::vendorparts "vendors.list.d"; Dir::Etc::main "apt.conf"; Dir::Etc::parts "apt.conf.d"; Dir::Etc::preferences "preferences"; Dir::Bin ""; Dir::Bin::methods "/usr/lib/apt/methods"; Dir::Bin::dpkg "/usr/bin/dpkg"; DPkg ""; DPkg::Pre-Install-Pkgs ""; DPkg::Pre-Install-Pkgs:: "if dpkg -s apt-listbugs | grep -q '^Status: .* ok installed'; then /usr/sbin/apt-listbugs apt || ( test $? -ne 10 || exit 10; echo 'Warning: apt-listbugs exited abnormally, hit enter key to continue.' 1>&2 ; read a < /dev/tty ); fi"; DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true"; -- (no /etc/apt/preferences present) -- -- (/etc/apt/sources.list present, but not submitted) -- -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17-2-686 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-1) (ignored: LC_ALL set to es_ES) Versions of packages apt depends on: ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries ii libgcc1 1:4.2-20060923-1 GCC support library ii libstdc++6 4.1.1-5 The GNU Standard C++ Library v3 Versions of packages apt recommends: ii debian-archive-keyring2006.01.18 GnuPG archive keys of the Debian a -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]