Muon defaults insecure

Bug #820638 reported by Scott Kitterman on 2011-08-03
This bug affects 1 person
Affects Status Importance Assigned to Milestone
muon (Ubuntu)

Bug Description

Muon defaults to allowing untrusted packages. This is very bad and must be fixed.

vim muon/config/GeneralSettingsPage.cpp +106

    m_untrustedCheckBox->setChecked(m_aptConfig->readEntry("APT::Get::AllowUnauthenticated", true));

Related branches

visibility: private → public
Changed in muon (Ubuntu):
status: New → Triaged
importance: Undecided → Critical
milestone: none → oneiric-alpha-3
tags: added: iso-testing
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package muon - 1.1.90-0ubuntu3

muon (1.1.90-0ubuntu3) oneiric; urgency=low

  * Default to not allow installation of untrusted packages (LP: #820638)
 -- Scott Kitterman <email address hidden> Thu, 04 Aug 2011 15:10:49 -0400

Changed in muon (Ubuntu Oneiric):
status: Triaged → Fix Released
Jonathan Thomas (echidnaman) wrote :

I don't agree with this. Muon presents the same behavior as apt-get in this regard with the option checked, where it will warn you about the dangers of such packages, asking you whether or not you'd like to continue. With the option unchecked, trying to install packages will fail outright.

Jonathan Thomas (echidnaman) wrote :

*trying to install unsigned packages.

That (fail unless checked) is appropriate. That's the default for apt.

Jonathan Thomas (echidnaman) wrote :

APT by default doesn't fail, though, it just asks if you want to continue.

Scott Kitterman (kitterman) wrote :

If you install a package from a (for example) ppa whose key it doesn't know about, it fails.

Scott Kitterman (kitterman) wrote :

On Thursday, August 04, 2011 08:22:27 PM you wrote:
> APT by default doesn't fail, though, it just asks if you want to
> continue.

Agreed. I think that's a problem with apt too then. I'll follow up with apt.

Marc Deslauriers (mdeslaur) wrote :

We want the graphical tools to fail when trying to install unauthenticated packages, and not let the user just click continue to install them.

update-manager and Ubuntu software centre both refuse to install unauthenticated packages since Maverick.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers