[xen-tools-discuss] Security concerns with calling "apt-get --force-yes"
Axel Beckert
abe at deuxchevaux.org
Wed Jan 28 15:10:19 CET 2015
Hi,
thanks for the links.
On Wed, Jan 28, 2015 at 02:40:30PM +0100, Sebastian Pipping wrote:
> > It's currently not clear to me if it would indeed do this.
>
> Please see
> https://www.whonix.org/wiki/Dev/apt-get#Just_using_--force-yes
Well, KEYEXPIRED would be ok for xen-tools from my PoV, especially
with debootstrapping ancient releases signed with keys from back then
this happens often.
It though may happen less often since the time where
archive.debian.org got reorganized and IIRC got signed with more
recent keys. But I don't remember all the details about this. Will
test.
IIRC there is an apt option to explicitly ignore key expiry. But then
again, I'm not sure if that feature is available in older apt releases
as used when debootstrapping older releases.
> >> My current suggestion would be to remove the --force-yes parameter.
> >
> > If this indeed causes unauthenticated packages to be installed, this
> > is probably the correct fix. Otherwise I'm rather reluctant to remove
> > that option.
> >
> > I'll check. Thanks for the report!
>
> Please do, please keep me up to date.
Will do via this ML.
> Btw, for the same topic in grml-debootstrap see
> https://github.com/grml/grml-debootstrap/issues/62
Over there it's as vague as in the man page of apt-get. Same issues
with the issue. ;-)
Kind regards, Axel
--
/~\ Plain Text Ribbon Campaign | Axel Beckert
\ / Say No to HTML in E-Mail and News | abe at deuxchevaux.org (Mail)
X See http://www.nonhtmlmail.org/campaign.html | abe at noone.org (Mail+Jabber)
/ \ I love long mails: http://email.is-not-s.ms/ | http://abe.noone.org/ (Web)
More information about the xen-tools-discuss
mailing list