Bug#203741: apt sigcheck patches

[Matt Zimmerman <mdz@debian.org>]

On Thu, Aug 21, 2003 at 11:50:39AM -0400, Colin Walters wrote:

> On Thu, 2003-08-21 at 10:16, Matt Zimmerman wrote:
> 
> > Why should it be necessary to modify sources.list to specify the vendor?
> > I would have either expected this to be determined from the Release
> > file, or to have a list of trusted vendors and not care which source
> > corresponds to which vendor. 
> 
> Well, first because you need to have some way to specify whether or not
> the source is secured.  You can't take the absence of the Release file to
> mean it's not, for obvious reasons.  And a lot of personal-type apt
> sources aren't secured, and aren't likely to be anytime soon.

It seems OK not to specify whether the source is secured, as long as you're
not rejecting insecure sources (maybe issuing a warning?).

> Secondly, because you don't want someone to be able to replace one valid
> archive with another, such as replacing Debian stable (and presumably no
> security holes) with Debian unstable (and presumably some nonempty set of
> holes).

Presumably, if you don't trust Debian unstable, you wouldn't have the key
for unstable in your list.  Though, I guess if we use one key per year
rather than a key per release, this won't work (unfortunately).

> >  It would be nice if we could do this without changing the syntax of
> >  sources.list, so that older apts are forward compatible.
> 
> Well, older apts are forwards compatible - they at least don't barf on the
> [...] because it's been parsed by sourcelist.cc (and ignored) since before
> woody.

Ahh, ok.  No worries then.  I didn't realize that.

> > That would be great; feel free to send me whatever you have.
> 
> Attached is a copy of the Docbook XML we were using for the website.

Thanks.

-- 
 - mdz