Not Authenticated

[Martin Marshalek]

Why is it that all packages in synaptic say that they are "Not Authenticated" (Ubuntu repo, Mint repo, Mediubuntu repo) when I install or update? Is this normal? Is there a fix for this?

[Muzer]

It's normal.

[Martin Marshalek]

Okay, I thought so, but is there any way to fix this yet?

[DrHu]

Okay, I thought so, but is there any way to fix this yet?

Yes, you can prevent unauthenticated software (packages) being installed; but you may not like that many/some packages then do not install, that you wished to use..

http://www.infodrom.org/~joey/Writing/L ... ecure-apt/

• Tuning
  When no matching digital key is present to verify the integrity of an archive »apt-get« will complain. The administrator has the choice to go on and not install the named packages or to overrule the verification and install them anyway. The administrator controls this behaviour through the configuration file »apt.conf«, similar to other features of the APT package manager.

It is a matter of trust, and whether or not you think every package has to be signed, and therefore authenticated before being allowed to install itself into your system
--theoretically, it is a risk, to use unauthenticated packages; however it is a convenience to both developers and users to not absolutely require it (digital signing, authentication)

It is similar to the concept of browsing a web site, you do not have to authenticate yourself in order to either scan/read or even download from such web sites; and they are the majority of sites.

[Martin Marshalek]

Okay, that works then. The basic gist of what you said is that with this I wont be able to even install unathenticated software. Even if some of the software I have yet find any that is that I wanted to install through synaptic and it seems like I would cause more harm to myself. I like you analogy about browsing the web, I think I understand now that it is not really a security matter to have unauthenticated packages, at least when they're from the Ubuntu, Medibuntu, and Mint, repositories.

Will the developers eventually sign the packages (say in Helena) and fix this issue i.e. is this on the drawing board?

[DrHu]

Will the developers eventually sign the packages (say in Helena) and fix this issue i.e. is this on the drawing board?

That will be up to them, the distributions can only enforce so much and still be cooperative with their developers..
--however if the majority agree to it, you get more compliance with what is an essential security aid, both to themselves and to users who get their software..

Debian has some digital signing as the the way to use repositories, how far they have been able to push it, and having a few problems with their public keys (for authentication from repository) in recent times didn't help..

http://www.infodrom.org/~joey/Writing/L ... ecure-apt/

• Digitally signed archives
  First of all, the Debian project does not provide signatures for individual packages. This would cause too much overhead for only little security. However, for several years there have been discussions on Debian development mailing lists about how digital signatures are to be handled and should be maintained for the Debian archive. There have always been proponents of signatures per package, but this would have several drawbacks

The number (packages) and management of that process is the problem

So unless everyone, or the larger majority of developers agreed to it, it is unlikely to be offered or changed.
--same link as above..

• Signed packages?
  As mentioned before, there have been discussions about signed packages instead of signed index files. Signed packages help prevent the injection of arbitrary packages. However, they are no measurement against some sort of attacks. An evil person who injects an older version of a Debian package into a Debian mirror would still be successful, since the package itself would still contain a valid signature. Such a package could contain a security vulnerability that had been fixed already in a more recent version.

Debian's explanation of their method
http://www.formortals.com/all-2006-2008 ... worthless/
security is an ongoing battle, and mistakes can happen..