[xen-tools-discuss] Security concerns with calling "apt-get --force-yes"
Sebastian Pipping
sebastian at pipping.org
Wed Jan 28 14:40:30 CET 2015
Hello,
On 01/28/2015 02:31 PM, Axel Beckert wrote:
> Hi,
>
> On Wed, Jan 28, 2015 at 11:57:43AM +0100, Sebastian Pipping wrote:
>> If I am not mistaken, --force-yes makes apt-get ignore GPG verification
>> errors which may lead to installation of malicious Debian packages in a
>> man-in-the-middle scenario.
>
> It's currently not clear to me if it would indeed do this.
Please see
https://www.whonix.org/wiki/Dev/apt-get#Just_using_--force-yes
>> "man apt-get" says about "--force-yes":
>>
>> --force-yes
>> Force yes; this is a dangerous option that will cause apt to
>> continue without prompting if it is doing something potentially
>> harmful. It should not be used except in very special situations.
>> Using force-yes can potentially destroy your system!
>
> This sounds rather appropriate here. The process should either abort
> or succeed, but never ask questions.
I agree about the question asking part. Not about --force-yes as a
solution, though :)
>> My current suggestion would be to remove the --force-yes parameter.
>
> If this indeed causes unauthenticated packages to be installed, this
> is probably the correct fix. Otherwise I'm rather reluctant to remove
> that option.
>
> I'll check. Thanks for the report!
Please do, please keep me up to date.
Btw, for the same topic in grml-debootstrap see
https://github.com/grml/grml-debootstrap/issues/62
Best,
Sebastian
More information about the xen-tools-discuss
mailing list