make apt-get stop bothering me about signatures
Paul Johnson
pauljohn32 at gmail.com
Wed Sep 3 18:55:03 UTC 2008
On Tue, Sep 2, 2008 at 2:01 PM, Andy <stude.list at googlemail.com> wrote:
> Paul Johnson wrote:
>> There are 2 sites where I get deb packages but they authors do not
>> sign them. I want apt-get to stop bugging me about the lack of
>> signatures.
>
> Apt does that for a good reason! Allowing unsigned packages
> automatically presents an extremely serious security threat. Effectively
> it could result in remote code execution at root level. There is no more
> serious threat!
>
> If someone intercepts the HTTP connection (depending what networks you
> use this could be very easy to do), they could install anything they
> liked, and run scripts with root privileges.
>
> Having said this you could try passing the flag --allow-unauthenticated
> to apt-get or set the option APT::Get::AllowUnauthenticated in apt.conf
> (for details man apt.conf ).
>
> However I must stress that it is extremely dangerous to permit
> unauthenticated packages to be automatically installed. is if you are
> entirely certain about the risks this poses and are willing to bear the
> consequences.
>
>
> Andy
>
Well, this makes me think there is a weakness in apt-get compared
against yum in Fedora. You seem to say it is necessary for me to
accept all unsigned packages, rather than simply accepting unsigned
packages from one particular trusted site.
Live and learn, I guess.
FYI, There's no documentation on AllowUnauthenticated in "man
apt.conf", though. At least, not in Ubuntu 8.04
pj
--
Paul E. Johnson
Professor, Political Science
1541 Lilac Lane, Room 504
University of Kansas
More information about the ubuntu-users
mailing list