Bug#878958: apt: let admins decide security matters not the apt team
Package: apt
Version: 1.4.8
Severity: wishlist
Dear Maintainer,
Aptitude developers have taken the liberty of deciding for everyone
subjectively what quality of cryptographic signature is adequate for
everyone in a single sweeping decision, without knowing the individual
threat models and assets that the decision is trying to protect. This
decision is in the wrong hands. Sys admins are accountable for the
security of the systems they control, and so responsibility and
control should go to the same people who have accountability.
Specifically, consider the SHA1 removal, documented here:
https://wiki.debian.org/Teams/Apt/Sha1Removal
If the apt team must decide on everyones security standards, blocking
SHA1 was a good move. But that's not the case. The apt suite of
tools could have some sensible defaults as far as which signing
algorithms are accepted or not, but ultimately the admin should be in
control of her own system. Maybe an admin finds SHA256 insufficient,
and requires an even higher standard. Who is the apt team to tell her
which algorithm she may and may not trust?
There is a hack to say trust all, which can even be used on a per
repository basis or all repositories, but this is the wrong mechanism
as it disables validity checking entirely. The sys admin should
control which algorithms are fit for purpose, and the apt tool should
check validity on admin-permitted algorithms.
-- Package-specific info:
-- (no /etc/apt/preferences present) --
-- (no /etc/apt/preferences.d/* present) --
-- (/etc/apt/sources.list present, but not submitted) --
-- (/etc/apt/sources.list.d/gc2latex.list present, but not submitted) --
-- (/etc/apt/sources.list.d/gc2latex.list.save present, but not submitted) --
-- (/etc/apt/sources.list.d/gc2latex.list~ present, but not submitted) --
-- (/etc/apt/sources.list.d/ring-nightly-main.list present, but not submitted) --
-- (/etc/apt/sources.list.d/ring-nightly-main.list.save present, but not submitted) --
-- System Information:
Debian Release: 9.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=1508228706 WARNING torsocks[12992]: [syscall] Unsupported syscall number 217. Denying the call (in tsocks_syscall() at syscall.c:488)
UTF-8), LANGUAGE=en_US.UTF-8 (charmap=1508228706 WARNING torsocks[12994]: [syscall] Unsupported syscall number 217. Denying the call (in tsocks_syscall() at syscall.c:488)
UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apt depends on:
ii adduser 3.115
ii debian-archive-keyring 2017.5
ii gpgv 2.1.18-8~deb9u1
ii init-system-helpers 1.48
ii libapt-pkg5.0 1.4.8
ii libc6 2.24-11+deb9u1
ii libgcc1 1:6.3.0-18
ii libstdc++6 6.3.0-18
Versions of packages apt recommends:
ii gnupg 2.1.18-8~deb9u1
Versions of packages apt suggests:
pn apt-doc <none>
ii aptitude 0.8.7-1
ii dpkg-dev 1.18.24
ii powermgmt-base 1.31+nmu1
pn python-apt <none>
ii synaptic 0.84.2
-- debconf information excluded
Reply to: