[xen-tools-discuss] Security concerns with calling "apt-get --force-yes"
Axel Beckert
abe at deuxchevaux.org
Wed Jan 28 15:31:43 CET 2015
Hi,
On Wed, Jan 28, 2015 at 02:40:30PM +0100, Sebastian Pipping wrote:
> > On Wed, Jan 28, 2015 at 11:57:43AM +0100, Sebastian Pipping wrote:
> >> If I am not mistaken, --force-yes makes apt-get ignore GPG verification
> >> errors which may lead to installation of malicious Debian packages in a
> >> man-in-the-middle scenario.
[...]
> Please do, please keep me up to date.
I've tracked down --force-yes usage in xen-tools as far as its version
history is available. So no chance to find a reasoning in the commit
messages or so.
It's already present in the commit 89e2c704[1] which has the commit
message "Initial import". (Which actually isn't the first commit, but
the second, but still from 2005, too.)
[1] https://gitorious.org/xen-tools/xen-tools/commit/89e2c70498ff92ff37c39b870ff9abfe7469bfd1
Kind regards, Axel
--
/~\ Plain Text Ribbon Campaign | Axel Beckert
\ / Say No to HTML in E-Mail and News | abe at deuxchevaux.org (Mail)
X See http://www.nonhtmlmail.org/campaign.html | abe at noone.org (Mail+Jabber)
/ \ I love long mails: http://email.is-not-s.ms/ | http://abe.noone.org/ (Web)
More information about the xen-tools-discuss
mailing list