subject:"Bug#389646\: apt should try to import a key if a package was signed by a unknown key"

Bug#389646: apt should try to import a key if a package was signed by a unknown key

2006-09-27 Thread Otavio Salvador

Rober Morales <[EMAIL PROTECTED]> writes:

>> > It'll reduce the security of machine since won't make difference if
>> > the key is or not know before you upgrade or install a package.
>>
>> Agreed; an idea might be to import the key to some "untrusted" keyring,
>> and allow the user to add it to the "trusted" list after giving some
>> stern lecture why you shouldn't trust anyone.
>>
>
> APT already continue with the install/upgrade if the user answer "Yes" to the 
> warning question.
>
> The new feature I want is to make possible the fact that apt can, /with/ the 
> user confirmation, import the key the package is signed with:
>
> WARNING: The key 0BDCE is not known: Install anyway? Yes/[No]:
> Yes
>
> WARNING: Do you want APT import the key to your keyring now? Yes/[No]:
> Yes

I see your point but I still think that shouldn't be too easy to
someone to add a key on the trusted keyring otherwise most of people
will just start to do that too much.

Besides, as Simon said, would be good to warn the user why this is
dangerous and why he/she should avoid to use non-official
packages.

I personally see why you would like to have it but I don't think the
price that we might pay is enough... :(

-- 
O T A V I OS A L V A D O R
-
 E-mail: [EMAIL PROTECTED]  UIN: 5906116
 GNU/Linux User: 239058 GPG ID: 49A5F855
 Home Page: http://www.freedom.ind.br/otavio
-
"Microsoft gives you Windows ... Linux gives
 you the whole house."


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#389646: apt should try to import a key if a package was signed by a unknown key

2006-09-27 Thread Rober Morales

> > It'll reduce the security of machine since won't make difference if
> > the key is or not know before you upgrade or install a package.
>
> Agreed; an idea might be to import the key to some "untrusted" keyring,
> and allow the user to add it to the "trusted" list after giving some
> stern lecture why you shouldn't trust anyone.
>

APT already continue with the install/upgrade if the user answer "Yes" to the 
warning question.

The new feature I want is to make possible the fact that apt can, /with/ the 
user confirmation, import the key the package is signed with:

WARNING: The key 0BDCE is not known: Install anyway? Yes/[No]:
Yes

WARNING: Do you want APT import the key to your keyring now? Yes/[No]:
Yes

TIA!



Regards,

Rober Morales-Chaparro


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#389646: apt should try to import a key if a package was signed by a unknown key

2006-09-27 Thread Simon Richter

Otavio,

> It'll reduce the security of machine since won't make difference if
> the key is or not know before you upgrade or install a package.

Agreed; an idea might be to import the key to some "untrusted" keyring,
and allow the user to add it to the "trusted" list after giving some
stern lecture why you shouldn't trust anyone.

   Simon


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#389646: apt should try to import a key if a package was signed by a unknown key

2006-09-26 Thread Otavio Salvador

tag 389646 + wontfix
thanks

Rober Morales-Chaparro <[EMAIL PROTECTED]> writes:

> Package: apt
> Version: 0.6.45
> Severity: minor
>
> Instead of showing a warning message when apt does not know the key, apt
> cat try to execute (with or without the user confirmation?):
>
> #!/bin/bash
> KEY=$1
>
> gpg --keyserver subkeys.pgp.net --recv $KEY
> gpg --export --armor $KEY | apt-key add -

It'll reduce the security of machine since won't make difference if
the key is or not know before you upgrade or install a package.

IMO that makes APT security feature useless hence, wontfix.

-- 
O T A V I OS A L V A D O R
-
 E-mail: [EMAIL PROTECTED]  UIN: 5906116
 GNU/Linux User: 239058 GPG ID: 49A5F855
 Home Page: http://www.freedom.ind.br/otavio
-
"Microsoft gives you Windows ... Linux gives
 you the whole house."


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#389646: apt should try to import a key if a package was signed by a unknown key

2006-09-26 Thread Rober Morales-Chaparro

Package: apt
Version: 0.6.45
Severity: minor

Instead of showing a warning message when apt does not know the key, apt
cat try to execute (with or without the user confirmation?):

#!/bin/bash
KEY=$1

gpg --keyserver subkeys.pgp.net --recv $KEY
gpg --export --armor $KEY | apt-key add -


TIA!



-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "i386";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Cache-Limit "92582912";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::userstatus "status.user";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt/";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt/";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::sourceparts "sources.list.d";
Dir::Etc::vendorlist "vendors.list";
Dir::Etc::vendorparts "vendors.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::dpkg "/usr/bin/dpkg";
DPkg "";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "if dpkg -s apt-listbugs | grep -q '^Status: .* ok 
installed'; then /usr/sbin/apt-listbugs apt || ( test $? -ne 10 || exit 10; 
echo 'Warning: apt-listbugs exited abnormally, hit enter key to continue.' 1>&2 
; read a < /dev/tty ); fi";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";

-- (no /etc/apt/preferences present) --


-- (/etc/apt/sources.list present, but not submitted) --


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-686
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-1) (ignored: 
LC_ALL set to es_ES)

Versions of packages apt depends on:
ii  libc6   2.3.6.ds1-4  GNU C Library: Shared libraries
ii  libgcc1 1:4.2-20060923-1 GCC support library
ii  libstdc++6  4.1.1-5  The GNU Standard C++ Library v3

Versions of packages apt recommends:
ii  debian-archive-keyring2006.01.18 GnuPG archive keys of the Debian a

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#389646: apt should try to import a key if a package was signed by a unknown key

Bug#389646: apt should try to import a key if a package was signed by a unknown key

Bug#389646: apt should try to import a key if a package was signed by a unknown key

Bug#389646: apt should try to import a key if a package was signed by a unknown key

Bug#389646: apt should try to import a key if a package was signed by a unknown key

5 matches

Site Navigation

Mail list logo

Footer information