[Aptitude-devel] Bug#889924: Clarification

KatolaZ katolaz at freaknet.org
Fri Feb 9 08:10:38 UTC 2018 

I just wanted to clarify some of the things that were said above.

First of all, Devuan does not want to "extort" anything ;)

Second, OmegaPhil approached us on IRC saying that Devuan "had" to set
Origin, because having it blank was breaking "aptitude changelog",
which "verifies" the source of the repo. I pointed out that, according
to:

 https://wiki.debian.org/DebianRepository/Format#Origin

Origin is an "Optional field indicating the origin of the repository,
a single line of free form text". So, the check currently implemented
in aptitude, based on matching the optional "single line of free form
text" contained in Origin, is *not* useful to "verify" anything. It
can only verify that the distributor (whoever they are, not
necessarily Debian or Ubuntu or Devuan) has put that specific string
in Origin.

We all know that the only way to check that a repo is genuinely from
Debian is by verifying that the corresponding Release files were
signed with the release keys published at:

  https://ftp-master.debian.org/keys.html

so that specific check OmegaPhil is referring to is not adding any
extra level of security.

I personally think that a sane solution would be to have that check
configurable in aptitude, but I don't see it as a priority, TBH. My
personal take is that, if a fix is implemented, the users should be
warned that those extra checks based on Origin are only indicative,
and do not add any level of security. 

Hope this helps to clarify this matter.

Thanks again for your work on Debian and aptitude: it is very much
appreciated.

HND

KatolaZ

-- 
[ ~.,_  Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab  ]  
[     "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[       @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[     @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/aptitude-devel/attachments/20180209/434b64f5/attachment.sig>

More information about the Aptitude-devel mailing list