apt-get install --assume-yes allows unverified packages
Bug #144781 reported by
Lars Noodén
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| apt (Ubuntu) |
Fix Released
|
Wishlist
|
Michael Vogt | ||
Bug Description
Binary package hint: apt
Using the '--assume-yes' option, apt-get keeps rolling even if the repository (or a host pretending to be the repository) starts serving up packages that cannot be verified.
Technically --assume-yes does answer yes to everything. However, in this day and age with so many MIM and other attacks I would expect that it would throw an error unless accompanied by some --force option.
It looks like automated installs relying on --assume-yes can then be fed tainted or compromised packages.
Revision history for this message
| Kees Cook (kees) wrote | #1 |
| Changed in apt: | |
| status: | New → Incomplete |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in apt (Ubuntu): | |
| status: | Incomplete → Expired |
| Changed in apt (Ubuntu): | |
| status: | Expired → New |
| assignee: | nobody → Michael Vogt (mvo) |
| visibility: | private → public |
| Changed in apt (Ubuntu): | |
| status: | New → Confirmed |
| importance: | Undecided → Wishlist |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #3 |
Revision history for this message
| Julian Andres Klode (juliank) wrote | #4 |
| Changed in apt (Ubuntu): | |
| status: | Confirmed → Fix Released |
To post a comment you must log in.
mvo, does update-manager use apt in this way?