Bug#907916: marked as done (apt-secure: apt-secure should ignore local file: based repository not having a Release file)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 4 Sep 2018 09:38:55 +0200
with message-id <20180904093838.GA5774@debian.org>
and subject line Re: Bug#907916: apt-secure: apt-secure should ignore local file: based repository not having a Release file
has caused the Debian Bug report #907916,
regarding apt-secure: apt-secure should ignore local file: based repository not having a Release file
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
907916: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907916
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: apt-secure: apt-secure should ignore local file: based repository not having a Release file
• From: Ariel <asdebian@dsgml.com>
• Date: Tue, 04 Sep 2018 00:03:10 -0400
• Message-id: <[🔎] 153603379068.3043.5873533077900729893.reportbug@cherryberry.dsgml.com>

Package: apt
Version: 1.4.8
Severity: normal
File: apt-secure

I have a file: based repository:
deb file:/ usr/src/deb/

But apt-get update complains:

W: The repository 'file: usr/src/deb/ Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

This is excessive. A local file based repository is not dangerous to use just because it doesn't have a Release file.

Adding a release file will in no way secure it - anyone with access to change anything, can also change the Release file.

	-Ariel

-- System Information:
Debian Release: 9.5
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 4.9.110 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apt depends on:
ii  adduser                 3.115
ii  debian-archive-keyring  2017.5
ii  gpgv                    2.1.18-8~deb9u2
ii  init-system-helpers     1.48
ii  libapt-pkg5.0           1.4.8
ii  libc6                   2.24-11+deb9u3
ii  libgcc1                 1:6.3.0-18+deb9u1
ii  libstdc++6              6.3.0-18+deb9u1

Versions of packages apt recommends:
ii  gnupg   2.1.18-8~deb9u2
ii  gnupg2  2.1.18-8~deb9u2

Versions of packages apt suggests:
pn  apt-doc         <none>
ii  aptitude        0.8.7-1
ii  dpkg-dev        1.18.25
ii  powermgmt-base  1.31+nmu1
ii  python-apt      1.4.0~beta3
ii  synaptic        0.84.2

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: Ariel <asdebian@dsgml.com>, 907916-close@bugs.debian.org
• Subject: Re: Bug#907916: apt-secure: apt-secure should ignore local file: based repository not having a Release file
• From: Julian Andres Klode <jak@debian.org>
• Date: Tue, 4 Sep 2018 09:38:55 +0200
• Message-id: <20180904093838.GA5774@debian.org>
• Mail-followup-to: Julian Andres Klode <jak@debian.org>, Ariel <asdebian@dsgml.com>, 907916-close@bugs.debian.org
• In-reply-to: <[🔎] 153603379068.3043.5873533077900729893.reportbug@cherryberry.dsgml.com>
• References: <[🔎] 153603379068.3043.5873533077900729893.reportbug@cherryberry.dsgml.com>

On Tue, Sep 04, 2018 at 12:03:10AM -0400, Ariel wrote:
> Package: apt
> Version: 1.4.8
> Severity: normal
> File: apt-secure
> 
> I have a file: based repository:
> deb file:/ usr/src/deb/
> 
> But apt-get update complains:
> 
> W: The repository 'file: usr/src/deb/ Release' does not have a Release file.
> N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
> N: See apt-secure(8) manpage for repository creation and user configuration details.
> 
> This is excessive. A local file based repository is not dangerous to use just because it doesn't have a Release file.
> 
> Adding a release file will in no way secure it - anyone with access to change anything, can also change the Release file.
> 

Requiring a (In)Release file _always_ makes sense, as it tells apt which files are available in the
repository. Without it, things get very noisy, as apt tries to download all kinds of
indexes that don't exist.

With regards to signing the release file, being explicit about trust is a good thing. A file:/
url might be a remote location mounted locally via NFS or other network file systems. If you are
certain that the source is always trustworthy, tell apt that by setting [trusted=yes] in the
sources.list file.

In summary, file:/ is no different from other url, disabling security checks there
opens up a security hole (duh), and there's an easy workaround: This is not a bug.


-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

--- End Message ---