Ubuntu
muon package

Muon defaults insecure

Bug #820638 reported by Scott Kitterman on 2011-08-03

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	muon (Ubuntu)	Fix Released	Critical	Unassigned	Ubuntu oneiric-alpha-3
	Oneiric	Fix Released	Critical	Unassigned	Ubuntu oneiric-alpha-3

Bug Description

Muon defaults to allowing untrusted packages. This is very bad and must be fixed.

vim muon/config/GeneralSettingsPage.cpp +106

m_untrustedCheckBox->setChecked(m_aptConfig->readEntry("APT::Get::AllowUnauthenticated", true));

Tags:

Related branches

lp://staging/ubuntu/oneiric/muon

Scott Kitterman (kitterman) on 2011-08-03

visibility:	private → public
Changed in muon (Ubuntu):
status:	New → Triaged
importance:	Undecided → Critical
milestone:	none → oneiric-alpha-3

Ubuntu QA Website (ubuntuqa) on 2011-08-03

tags:

added: iso-testing

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-08-04:

#1

This bug was fixed in the package muon - 1.1.90-0ubuntu3

---------------
muon (1.1.90-0ubuntu3) oneiric; urgency=low

* Default to not allow installation of untrusted packages (LP: #820638)
-- Scott Kitterman <email address hidden> Thu, 04 Aug 2011 15:10:49 -0400

Changed in muon (Ubuntu Oneiric):
status:	Triaged → Fix Released

Revision history for this message

Jonathan Thomas (echidnaman) wrote on 2011-08-04:

#2

I don't agree with this. Muon presents the same behavior as apt-get in this regard with the option checked, where it will warn you about the dangers of such packages, asking you whether or not you'd like to continue. With the option unchecked, trying to install packages will fail outright.

Revision history for this message

Jonathan Thomas (echidnaman) wrote on 2011-08-04:

#3

*trying to install unsigned packages.

Revision history for this message

Scott Kitterman (kitterman) wrote on 2011-08-05: Re: [Bug 820638] Re: Muon defaults insecure

#4

That (fail unless checked) is appropriate. That's the default for apt.

Revision history for this message

Jonathan Thomas (echidnaman) wrote on 2011-08-05:

#5

APT by default doesn't fail, though, it just asks if you want to continue.

Revision history for this message

Scott Kitterman (kitterman) wrote on 2011-08-05:

#6

If you install a package from a (for example) ppa whose key it doesn't know about, it fails.

Revision history for this message

Scott Kitterman (kitterman) wrote on 2011-08-05:

#7

On Thursday, August 04, 2011 08:22:27 PM you wrote:
> APT by default doesn't fail, though, it just asks if you want to
> continue.

Agreed. I think that's a problem with apt too then. I'll follow up with apt.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2011-08-09:

#8

We want the graphical tools to fail when trying to install unauthenticated packages, and not let the user just click continue to install them.

update-manager and Ubuntu software centre both refuse to install unauthenticated packages since Maverick.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.