Linux Mint Forums

[itsucks]

yestaday install mint7 on my hd successed,
(mint7 iso down from http://ftp.heanet.ie/pub/linuxmint.com/ ... Mint-7.iso)
$sudo apt-key list
/etc/apt/trusted.gpg
--------------------
pub 1024D/0C5A2783 2006-11-23
uid Medibuntu Packaging Team <admin@lists.medibuntu.org>
uid The Medibuntu Team <medibuntu@sos-sts.com>
sub 2048g/16C7105A 2006-11-23

pub 1024D/0FF405B2 2009-04-29
uid Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>
sub 2048g/0F346519 2009-04-29

pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub 2048g/79164387 2004-09-12

$sudo apt-get update
$apt-cache policy ssmtp
ssmtp:
Installed: (none)
Candidate: 2.62-2.2ubuntu1
Version table:
2.62-2.2ubuntu1 0
500 http://archive.ubuntu.com jaunty/universe Packages

$sudo apt-get install ssmtp
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
ssmtp
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 50.6kB of archives.
After this operation, 8192B of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
ssmtp
Authentication warning overridden.
.....

[merlwiz79]

This package comes from Ubuntu's repo not ours.

[jvoegele]

merlwiz79: Since most Mint packages do come from Ubuntu's repo, it would be nice to have a solution for this.

I have just done a fresh install of Linux Mint 7 "Gloria", and the first thing that I tried to do was install some packages using Synaptic. (These are some lower-level packages that do not show up in the mintInstall application.) However, any packages that I try to install from the Ubuntu repositories (which is most of them) causes a warning:

You are about to install software that can't be authenticated! Doing this could allow a malicious individual to damage or take control of your system.

What do I need to do to make sure packages from the Ubuntu repositories are authenticated?

Thanks!

[exploder]

What do I need to do to make sure packages from the Ubuntu repositories are authenticated?

If you have not changed your /etc/apt/sources.list you do not have anything to worry about.

This: (You are about to install software that can't be authenticated!) used to show up when a new package came from our own repos. I think that the way things are set up now protects the Mint specific parts of the system.

[jvoegele]

If you have not changed your /etc/apt/sources.list you do not have anything to worry about.

Do you mean that if I have not changed my sources.list (I haven't) that I should not be receiving this warning message, or that I should expect to see this warning message but I can safely ignore it?

If the former, well I am seeing the warning.

If the latter, I guess I'd prefer not to see this message as most of the packages that I would install come from the Ubuntu repositories, and I'd like to not feel nervous every time I do so.

Thanks again.

[Carl]

If you have not changed your /etc/apt/sources.list you do not have anything to worry about.

Do you mean that if I have not changed my sources.list (I haven't) that I should not be receiving this warning message, or that I should expect to see this warning message but I can safely ignore it?

If the former, well I am seeing the warning.

If the latter, I guess I'd prefer not to see this message as most of the packages that I would install come from the Ubuntu repositories, and I'd like to not feel nervous every time I do so.

Thanks again.

No he's saying to ignore it as it's all perfectly normal

[jvoegele]

No he's saying to ignore it as it's all perfectly normal

I mean no offense, but am I the only one that finds this rather...unsatisfying? Perhaps I am unusual in that many of the packages I need to install come from the Ubuntu repositories and must be installed with Synaptic (or apt-get), but it seems to me something as fundamental as installing Ubuntu packages should not come with scary warning.

[exploder]

It only means that Mint packages have priority so your system has less chance of breakage. The base system is built from Ubuntu. You make the decisions as to the safety of upgrading Ubuntu packages, they are level 3 updates. A good example would be a kernel update, it should be fine but there is a risk involved. Mint packages used to have this warning and we knew that they were fine. The way things are set up now, you actually get less warning messages and you control the level 3 updates using your own judgment.

[dash]

I tried disabling all the other repositories except the mint repo. "deb http://packages.linuxmint.com/ gloria main upstream import" is the only uncommented line in sources.lists. Then I did apt-get update and then:

Code: Select all

$ sudo apt-cache policy xchat-gnome-common
xchat-gnome-common:
  Installed: (none)
  Candidate: 1:0.26.1-1mint1-0ubuntu1
  Version table:
     1:0.26.1-1mint1-0ubuntu1 0
        700 http://packages.linuxmint.com gloria/upstream Packages


Code: Select all

$ sudo apt-get install xchat-gnome-common -d
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  xchat-gnome-common
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 1816kB of archives.
After this operation, 5738kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  xchat-gnome-common
Authentication warning overridden.
Get:1 http://packages.linuxmint.com gloria/upstream xchat-gnome-common 1:0.26.1-1mint1-0ubuntu1 [1816kB]
Download complete and in download only mode


So even with all repos except the Mint repo disabled, the authentication warning is still there. I even tried deleting all the keys except the Mint gpg key, then did apt-get clean, apt-get update, and apt-get install xchat-gnome-common -d. Same result. Also, I read this this thread: viewtopic.php?p=150760#p150820 that Mint 7 packages are now signed. If they are signed, then it seems like I should not be getting this error right now.

If this is a result of privileging Mint repos over the Ubuntu repos, why does this problem happen after disabling everything except the Mint repo?

[jkorkean]

It's frustrating for new users to see such warning messages. Telling everyone "It's not a problem" isn't a way to solve this.

[Carl]

It's frustrating for new users to see such warning messages. Telling everyone "It's not a problem" isn't a way to solve this.

it's warning it's meant to be there!, you'd be more annoyed if it wasn't there and then you mucked up your system surely?

[globetrotterdk]

It's frustrating for new users to see such warning messages. Telling everyone "It's not a problem" isn't a way to solve this.

it's warning it's meant to be there!, you'd be more annoyed if it wasn't there and then you mucked up your system surely?

Sorry, but both the problem itself and the answer are counter intuitive. A warning, particularly with this language is to prevent someone from doing something that is endangering the security of the system. Writing that this is normal behavior implies that it is OK to endanger the security of your system.

This message is also unhelpful for users that have added other repositories, as it is unclear which repositories you should consider this abnormal behavior (insecure) and which repositories you should consider this normal (secure) behavior.

[neal]

Popping up authentication warnings as a matter of course isn't the best system design. It lulls users into ignoring the errors and at worst will allow trojaned packages to be installed. This is really a Debian/Ubuntu issue, not just a Mint problem.

If the warning is occuring because packages haven't been signed at all, perhaps a better alert would be something like:

"These packages are not signed. Do you trust this source?"

That would leave the stronger warning for packages that actually fail authentication (i.e. they're signed with an invalid key).

[minter20003000]

Signed repositories are necessary to bypass hacker attempts to inject code/trojans to the downloads.
Our current Internet is very dirty, you must help your minters.
Please take privacy and security very seriously.

Packages authentication is not an option, it's a necessity ASAP.

Thank you guys for a nice Mint distro, still awaiting for some "definitive" release, tired of constantly updating-upgrade, I would like to rest and start to learn about my system.
(Any netbook version in agenda?)

[endontoddy]

I have to agree with this.

'It can safely be ignored' is not good enough. Especially if someone is, (as many do) using repositories other than the core Ubuntu/Mint ones. How are we supposed to know if the warning is valid or if it only appeared because Mint doesn't authenticate its packages?

[thomasmc]

Popping up authentication warnings as a matter of course isn't the best system design. It lulls users into ignoring the errors and at worst will allow trojaned packages to be installed. This is really a Debian/Ubuntu issue, not just a Mint problem.

I have tried a number of Ubuntu based distros, and Mint is the ONLY one with this problem.
The fact that they are so FLIPPANT about user security really infuriates me, and I will probably uninstall Mint as a result.
Either you care about security, or you don't, and obviously Mint does NOT.

[artisan002]

As I see it, this "warning" is the least of my concerns... For one, how much did any of us pay for this distro? Secondly, how many of us are proficient enough to create a distro of our own that is markedly different from it's parent? Yes the alerts are inconvenient. Yes it makes you click to close an extra window. But, I also don't see how a rational mind could consider it a deal breaker. it's not as though the alert is stopping anything from installing or outfitting your computer with viruses/malware. It's just an indicator that Mint doesn't authenticate as being Ubuntu -- because it's not. And that's not something anyone other than the Ubuntu crew can stop. Accordingly, any Ubuntu repository will throw back a quick alert about this. It's not unlike Windows warnings when you try to install something and you're warned that whatever you're installing might be bad. You're still safer this way than your overall odds with Windows.

Furthermore, I haven't seen anything tangible that would indicate that the Mint crew is actually so lax on security. Again, I would say you're odds of safety are better here than with Windows.

In the end, if something like this authentication alert issue is that great a problem, I'm quite certain Linux will present you with other quirks that will draw the same ire. I'd bet it may already have. Linux, by and large, is a free operating system... How often does that happen? And it doesn't just stop at handing you an OS. It provides you with additional software to boot! And it never demands anything in return. However, it lacks a customer service or traditional tech support business model on the side. That's just part of the deal. I've personally had fewer issues with this particular distro than any other one I've tried. And I just don't see how this should have devolved into such a bizarre and unresolvable argument.

[psen]

Me too with this "problem" - I knew that the packages were coming from the official repo so I just blasted my way through it...

But I think it would be handy if the warnings matched the settings in the update manager e.g. "You are installing a level 1, 2, 3... package" with a big red " WHAT ARE YOU DOING, HAL? " for totally unsigned stuff or "I.installed.this.ppm.myself.from.totally.legit.warez.net"...

[garaden]

I have to disagree with artisan's argument. First of all, since Ubuntu and its repos are under the GPL, they can't restrict other distros from accessing them in a secure fashion. Second, one of the effects of the GPL is competition combined with collaboration, so any distro at some kind of disadvantage like this authentication problem can and should be pressured into fixing it. I'd really like to see this get fixed, because authentication for executables is close to a deal-breaker for me.

[johngreth]

I think that rather than arguing about how bad the problem is, we should just find a solution. There is a potential security hole. Whether or not it can be exploited is unknown. Just because it's still significantly more secure than windows doesn't mean that we as a community should accept it as good enough. I agree that if you aren't going to do anything about it you can't complain about it. Pickers can't be choosers. However, projects like Mint exist and are as good as they are because people ask for things to be fixed. I personally would like this to be fixed. I'll probably spend some time working on it and if I find a solution, I'll post it here.