Not Authenticated
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
Not Authenticated
Why is it that all packages in synaptic say that they are "Not Authenticated" (Ubuntu repo, Mint repo, Mediubuntu repo) when I install or update? Is this normal? Is there a fix for this?
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: Not Authenticated
Okay, I thought so, but is there any way to fix this yet?
Re: Not Authenticated
Yes, you can prevent unauthenticated software (packages) being installed; but you may not like that many/some packages then do not install, that you wished to use..Martin Marshalek wrote:Okay, I thought so, but is there any way to fix this yet?
http://www.infodrom.org/~joey/Writing/L ... ecure-apt/
- Tuning
When no matching digital key is present to verify the integrity of an archive »apt-get« will complain. The administrator has the choice to go on and not install the named packages or to overrule the verification and install them anyway. The administrator controls this behaviour through the configuration file »apt.conf«, similar to other features of the APT package manager.
--theoretically, it is a risk, to use unauthenticated packages; however it is a convenience to both developers and users to not absolutely require it (digital signing, authentication)
It is similar to the concept of browsing a web site, you do not have to authenticate yourself in order to either scan/read or even download from such web sites; and they are the majority of sites.
Re: Not Authenticated
Okay, that works then. The basic gist of what you said is that with this I wont be able to even install unathenticated software. Even if some of the software I have yet find any that is that I wanted to install through synaptic and it seems like I would cause more harm to myself. I like you analogy about browsing the web, I think I understand now that it is not really a security matter to have unauthenticated packages, at least when they're from the Ubuntu, Medibuntu, and Mint, repositories.
Will the developers eventually sign the packages (say in Helena) and fix this issue i.e. is this on the drawing board?
Will the developers eventually sign the packages (say in Helena) and fix this issue i.e. is this on the drawing board?
Re: Not Authenticated
That will be up to them, the distributions can only enforce so much and still be cooperative with their developers..Martin Marshalek wrote:Will the developers eventually sign the packages (say in Helena) and fix this issue i.e. is this on the drawing board?
--however if the majority agree to it, you get more compliance with what is an essential security aid, both to themselves and to users who get their software..
Debian has some digital signing as the the way to use repositories, how far they have been able to push it, and having a few problems with their public keys (for authentication from repository) in recent times didn't help..
http://www.infodrom.org/~joey/Writing/L ... ecure-apt/
- Digitally signed archives
First of all, the Debian project does not provide signatures for individual packages. This would cause too much overhead for only little security. However, for several years there have been discussions on Debian development mailing lists about how digital signatures are to be handled and should be maintained for the Debian archive. There have always been proponents of signatures per package, but this would have several drawbacks
So unless everyone, or the larger majority of developers agreed to it, it is unlikely to be offered or changed.
--same link as above..
- Signed packages?
As mentioned before, there have been discussions about signed packages instead of signed index files. Signed packages help prevent the injection of arbitrary packages. However, they are no measurement against some sort of attacks. An evil person who injects an older version of a Debian package into a Debian mirror would still be successful, since the package itself would still contain a valid signature. Such a package could contain a security vulnerability that had been fixed already in a more recent version.
http://www.formortals.com/all-2006-2008 ... worthless/
security is an ongoing battle, and mistakes can happen..