[Secure-testing-team] Bug#808367: apt: defaults to allow insecure repos and documents it wrong
Christoph Anton Mitterer
calestyo at scientia.net
Sat Dec 19 03:46:44 UTC 2015
Package: apt
Version: 1.1.5
Severity: normal
Tags: security
Hi.
Apparently, as per:
>apt (1.1~exp5) experimental; urgency=medium
> * Change default of Acquire::AllowInsecureRepositories to "true"
> so that this change is less disruptive, this will be switched
> to "false" again after jessie
insecure repos are not completely forbidden, right now.
However, jessie is out and that hasn't been changed back.
Further the manpage even names a wrong default:
> AllowInsecureRepositories
> Allow the update operation to load data files from a repository
> without a trusted signature. If enabled this option no data files
> will be loaded and the update operation fails with a error for this
> source. The default is false for backward compatibility. This will
> be changed in the future.
I think the general problem here, is that the defaults in the manpages aren't
generated out of the code, which is always highly error prone.
Moroever, the above documentation text is quite ambiguous:
I'd expect that AllowInsecureRepositories=true means, that insecure repos are
allowed, right?
However, the text further says:
>If enabled this option no data files will be loaded and the update operation
>fails with a error
Shouldn't that read "if DISABLED"?
Cheers,
Chris.
More information about the Secure-testing-team
mailing list