Martin Marshalek wrote:Okay, I thought so, but is there any way to fix this yet?
Yes, you can prevent unauthenticated software (packages) being installed; but you may not like that many/some packages then do not install, that you wished to use..http://www.infodrom.org/~joey/Writing/L ... ecure-apt/
When no matching digital key is present to verify the integrity of an archive »apt-get« will complain. The administrator has the choice to go on and not install the named packages or to overrule the verification and install them anyway. The administrator controls this behaviour through the configuration file »apt.conf«, similar to other features of the APT package manager.
It is a matter of trust, and whether or not you think every package has to be signed, and therefore authenticated before being allowed to install itself into your system
--theoretically, it is a risk, to use unauthenticated packages; however it is a convenience to both developers and users to not absolutely require it (digital signing, authentication)
It is similar to the concept of browsing a web site, you do not have to authenticate yourself in order to either scan/read or even download from such web sites; and they are the majority of sites.