Not Authenticated

Questions about the project and the distribution - obviously no support questions here please

Not Authenticated

Postby Martin Marshalek on Tue Sep 01, 2009 10:56 am

Why is it that all packages in synaptic say that they are "Not Authenticated" (Ubuntu repo, Mint repo, Mediubuntu repo) when I install or update? Is this normal? Is there a fix for this?
Martin Marshalek
Level 1
Level 1
 
Posts: 19
Joined: Mon Aug 31, 2009 6:10 pm

Linux Mint is funded by ads and donations.
 

Re: Not Authenticated

Postby Muzer on Tue Sep 01, 2009 11:00 am

It's normal.
Muzer
Level 4
Level 4
 
Posts: 221
Joined: Thu Aug 27, 2009 2:09 pm

Re: Not Authenticated

Postby Martin Marshalek on Tue Sep 01, 2009 11:36 am

Okay, I thought so, but is there any way to fix this yet?
Martin Marshalek
Level 1
Level 1
 
Posts: 19
Joined: Mon Aug 31, 2009 6:10 pm

Re: Not Authenticated

Postby DrHu on Tue Sep 01, 2009 3:01 pm

Martin Marshalek wrote:Okay, I thought so, but is there any way to fix this yet?

Yes, you can prevent unauthenticated software (packages) being installed; but you may not like that many/some packages then do not install, that you wished to use..

http://www.infodrom.org/~joey/Writing/L ... ecure-apt/
    Tuning
    When no matching digital key is present to verify the integrity of an archive »apt-get« will complain. The administrator has the choice to go on and not install the named packages or to overrule the verification and install them anyway. The administrator controls this behaviour through the configuration file »apt.conf«, similar to other features of the APT package manager.

It is a matter of trust, and whether or not you think every package has to be signed, and therefore authenticated before being allowed to install itself into your system
--theoretically, it is a risk, to use unauthenticated packages; however it is a convenience to both developers and users to not absolutely require it (digital signing, authentication)

It is similar to the concept of browsing a web site, you do not have to authenticate yourself in order to either scan/read or even download from such web sites; and they are the majority of sites.
User avatar
DrHu
Level 16
Level 16
 
Posts: 6615
Joined: Wed Jun 17, 2009 8:20 pm

Re: Not Authenticated

Postby Martin Marshalek on Wed Sep 02, 2009 8:23 am

Okay, that works then. The basic gist of what you said is that with this I wont be able to even install unathenticated software. Even if some of the software I have yet find any that is that I wanted to install through synaptic and it seems like I would cause more harm to myself. I like you analogy about browsing the web, I think I understand now that it is not really a security matter to have unauthenticated packages, at least when they're from the Ubuntu, Medibuntu, and Mint, repositories.

Will the developers eventually sign the packages (say in Helena) and fix this issue i.e. is this on the drawing board?
Martin Marshalek
Level 1
Level 1
 
Posts: 19
Joined: Mon Aug 31, 2009 6:10 pm

Re: Not Authenticated

Postby DrHu on Wed Sep 02, 2009 11:32 am

Martin Marshalek wrote:Will the developers eventually sign the packages (say in Helena) and fix this issue i.e. is this on the drawing board?

That will be up to them, the distributions can only enforce so much and still be cooperative with their developers..
--however if the majority agree to it, you get more compliance with what is an essential security aid, both to themselves and to users who get their software..

Debian has some digital signing as the the way to use repositories, how far they have been able to push it, and having a few problems with their public keys (for authentication from repository) in recent times didn't help..

http://www.infodrom.org/~joey/Writing/L ... ecure-apt/
    Digitally signed archives
    First of all, the Debian project does not provide signatures for individual packages. This would cause too much overhead for only little security. However, for several years there have been discussions on Debian development mailing lists about how digital signatures are to be handled and should be maintained for the Debian archive. There have always been proponents of signatures per package, but this would have several drawbacks
The number (packages) and management of that process is the problem

So unless everyone, or the larger majority of developers agreed to it, it is unlikely to be offered or changed.
--same link as above..
    Signed packages?
    As mentioned before, there have been discussions about signed packages instead of signed index files. Signed packages help prevent the injection of arbitrary packages. However, they are no measurement against some sort of attacks. An evil person who injects an older version of a Debian package into a Debian mirror would still be successful, since the package itself would still contain a valid signature. Such a package could contain a security vulnerability that had been fixed already in a more recent version.
Debian's explanation of their method
http://www.formortals.com/all-2006-2008 ... worthless/
security is an ongoing battle, and mistakes can happen..
User avatar
DrHu
Level 16
Level 16
 
Posts: 6615
Joined: Wed Jun 17, 2009 8:20 pm


Return to Non-technical Questions

Who is online

Users browsing this forum: No registered users and 4 guests