|
View unanswered posts | View active topics
| Author |
Message |
|
Yogi
|
Post subject: (Solved) unauthenticated packages  Posted: Sat Oct 23, 2010 3:40 am |
|
Joined: Thu Oct 21, 2010 2:52 am
Posts: 10
|
|
Why does the warning message 'unauthenticated packages' come up when installing via synaptic?
I've also seen it as overridden when installing using the terminal.
Is it anything to worry about and can I do anything to stop it or should it be left alone?
Thanks.
Last edited by Yogi on Mon Oct 25, 2010 3:37 am, edited 1 time in total.
|
|
| Top |
|
 |
|
cxexa
|
Post subject: Re: unauthenticated packages Posted: Sat Oct 23, 2010 1:48 pm |
|
Joined: Wed Jul 14, 2010 9:17 pm
Posts: 507
Location: L5 - DBAA23 - C2187
|
What are you trying to install when this happens? I do not know the answer, and I fully understand we are not using Linux Mint. That being said, I do remember seeing this and it may give you some helpful information, but not necessarily a directly applicable solution.  http://forums.linuxmint.com/viewtopic.php?f=141&t=56792&p=328127&hilit=unauthenticated#p328127Also, from the Linux Mint Blog: http://blog.linuxmint.com/?p=1543 Kendall may have Peppermint's apt.conf set up the same way as Mint's. Quote: In the comments section, an anonymous person said: “The only thing that I really didn’t like is the same for all of the Mint systems and that is the poor security you get by using their unsigned packages and repositories.”
–> It is the same for all Mint systems indeed. It’s a feature though and it’s even a condition for our ISOs to pass the QA tests. Both the main Mint repositories and LMDE are signed and secure. The warning you see is because we set APT to allow unauthenticated repositories. This follows our philosophy that if you told your system to do something, it should listen to you and do it promptly. If for any reason you decided to add an unsigned repository, then Mint should accept it and do as it’s told. You already have a warning, if you don’t like it, use sign repositories, if you do already, remove the setting from /etc/apt/apt.conf. This default setting is there to warn people and to let them do what they want, as opposed to something that fails when you need it most. You’re not more exposed than on any other system. If something has the rights to modify your /etc/apt/sources.list it surely has the rights to modify /etc/apt/apt.conf as well. Warnings are good things and unlike errors they’re here to let you know about things without getting in your way. This is not poor security. This is a signed and secure system which lets you add additional sources, signed or not, the day you feel like it.
|
|
| Top |
|
|
|
Richard
|
Post subject: Re: unauthenticated packages Posted: Sat Oct 23, 2010 1:52 pm |
|
Joined: Tue Aug 03, 2010 11:34 am
Posts: 161
Location: Venezuela
|
_________________
Peppermint, Manjaro, Refracta
|
|
| Top |
|
|
|
SciFiDude79
|
Post subject: Re: unauthenticated packages Posted: Sat Oct 23, 2010 8:42 pm |
|
Joined: Fri Sep 17, 2010 1:01 am
Posts: 2363
Location: Ohio
|
|
I get the same thing and I always had this problem in Mint 9 also, it's harmless. You can still install the software, it works just fine, I guess that Synaptic just doesn't like the authentication key or something like that. (no biggie)
|
|
| Top |
|
|
|
theorangerider
|
Post subject: Re: unauthenticated packages Posted: Sat Oct 23, 2010 11:38 pm |
|
Joined: Sat Oct 23, 2010 11:04 pm
Posts: 13
|
|
I'm getting this warning when trying to install the manpages package, which appears to be from the Ubuntu repo. I'm not completely sure, but it looks like we have a stored key for this repo. Could the key be outdated or something?
_________________
I ride oranges.
|
|
| Top |
|
|
|
SciFiDude79
|
Post subject: Re: unauthenticated packages Posted: Sun Oct 24, 2010 12:57 am |
|
Joined: Fri Sep 17, 2010 1:01 am
Posts: 2363
Location: Ohio
|
|
If it's outdated, it's been outdated all along. I've been using Mint 9 since right after it was released and it's always given me that garbage about the Ubuntu repos. As I said before, it doesn't really affect anything, it's just mildly annoying. Your best bet is to ignore it, it's going to keep doing it.
|
|
| Top |
|
|
|
theorangerider
|
Post subject: Re: unauthenticated packages Posted: Sun Oct 24, 2010 1:37 am |
|
Joined: Sat Oct 23, 2010 11:04 pm
Posts: 13
|
Thanks, you're right, It is pretty much a benign message. I found out that the keys are definitely correct and the warning message seems to be a byproduct of configuring apt-get to allow the installation of unauthenticated packages and simply display a warning. If I remove that configuration, it will verify the package using the GPG keys and the warning message goes away. The side affect of removing that configuration is if you have any third party repos that aren't signed, apt won't let you install them. To remove the warnings and force authentication refer to this thread from the Mint forums.
_________________
I ride oranges.
Last edited by theorangerider on Sun Oct 24, 2010 5:24 am, edited 1 time in total.
|
|
| Top |
|
|
|
SciFiDude79
|
Post subject: Re: unauthenticated packages Posted: Sun Oct 24, 2010 3:34 am |
|
Joined: Fri Sep 17, 2010 1:01 am
Posts: 2363
Location: Ohio
|
|
I leave it be, it doesn't hurt anything, plus I'm used to it. Plus, as you say, there can be repercussions to removing those warnings. I don't remember if Ubuntu 10.04 did that, I don't think it did, I only used it for a little while before I switched to Mint. If I remember correctly, Mint 10 RC doesn't do that. It might be something they worked on for the newest version.
|
|
| Top |
|
|
|
Yogi
|
Post subject: Re: unauthenticated packages Posted: Sun Oct 24, 2010 4:40 am |
|
Joined: Thu Oct 21, 2010 2:52 am
Posts: 10
|
Thank you for the replies. The software that I am installing when the unauthenticated message comes up is software that I would consider to be recognised as 'safe' software, e.g: Abiword and pulseaudio, that's why I was surprised  when the warning came up as both of these are often default software in other distro's. Reading the replies and taking a look at the links to other concerns about this message I think that I am in agreement that this isn't too much to worry about, I do, however, feel some concern that 'learning' to ignore a warning message may lead to a degree of complacency that, in time, could compromise an end users system. One of the key points of linux security (at least in my humble opinion) is that software is installed from a secure server rather than the windows method of downloading files from various websites. Unless the user has the knowledge to authenticate each dependency themselves (I don't) then they are reliant on a warning message to tell them if any of the software is compromised in the same way as a windows user would rely on a virus scanner. This makes the warning message the equivalent of a false positive. Unsettling for those users new to Peppermint and Linux. If it has been fixed in Mint 10 RC maybe it could be fixed in Peppermint?
|
|
| Top |
|
|
|
theorangerider
|
Post subject: Re: unauthenticated packages Posted: Sun Oct 24, 2010 5:42 am |
|
Joined: Sat Oct 23, 2010 11:04 pm
Posts: 13
|
I'm not sure if it's considered to be a bug. Ubuntu by default does not allow you to install from unauthenticated repos, but Mint (and Peppermint) chose to allow unauthenticated sources by default. From the Mint blog ( link): Quote: The warning you see is because we set APT to allow unauthenticated repositories. This follows our philosophy that if you told your system to do something, it should listen to you and do it promptly. If for any reason you decided to add an unsigned repository, then Mint should accept it and do as it’s told. You already have a warning, if you don’t like it, use sign repositories, if you do already, remove the setting from /etc/apt/apt.conf. This default setting is there to warn people and to let them do what they want, as opposed to something that fails when you need it most. You’re not more exposed than on any other system. If something has the rights to modify your /etc/apt/sources.list it surely has the rights to modify /etc/apt/apt.conf as well. Warnings are good things and unlike errors they’re here to let you know about things without getting in your way. This is not poor security. This is a signed and secure system which lets you add additional sources, signed or not, the day you feel like it. The only thing I find strange is the fact that these repositories are in fact signed, but you still get a warning. I'm guessing if you go with the default configuration and allow unsigned sources, it bypasses checking for signed sources as well and displays the warning message. In any case, I think SciFiDude is right that there's not much to sweat over. 
_________________
I ride oranges.
|
|
| Top |
|
|
Who is online |
Users browsing this forum: No registered users and 0 guests |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
|
|
|
