Add NoFail setting to continue installation on fail

in-toto / apt-transport-in-toto

in-toto transport for apt

Other

8 stars 6 forks source link

Add NoFail setting to continue installation on fail #17

Closed lukpueh closed 5 years ago

lukpueh commented 5 years ago

Fixes issue #: Closes #12

Description of the changes being introduced by the pull request: If set to "true" NoFail allows a client to install packages even if in-toto verification fails, but only if the fail reason is missing link metadata.

This setting should be removed, once there is broader support for rebuilder in-toto link metadata.

This PR also configures the online demo (see Dockerfile) to enable the NoFail setting.

Tests and documentation will be added with #9 and #14.

Please verify and check that the pull request fulfills the following requirements:

[x] The code follows the Code Style Guidelines
[ ] Tests have been added for the bug fix or new feature
[ ] Docs have been added for the bug fix or new feature

JustinCappos commented 5 years ago

Is there a warning or similar? At a minimum, apt should output something scary...

lukpueh commented 5 years ago

@JustinCappos, I agree. As a matter of fact, there is such a warning, but I it could be scarier.

JustinCappos commented 5 years ago

The message is really unhelpful also! What does a user know about nofail? What does this really mean to them???

On Wed, Jan 2, 2019 at 5:20 AM lukpueh notifications@github.com wrote:

@JustinCappos https://github.com/JustinCappos, I agree. As a matter of fact, there is such a warning https://github.com/in-toto/apt-transport-in-toto/pull/17/files#diff-6d82cdf8bca0ebc9be432d640885a335R644, but I it could be scarier.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/in-toto/apt-transport-in-toto/pull/17#issuecomment-450828320, or mute the thread https://github.com/notifications/unsubscribe-auth/AA0XD0cXJ9iZdAJyOiZyy_7UYNY5D0zrks5u_IgJgaJpZM4ZePjc .

lukpueh commented 5 years ago

The notification about the setting is preceded by the verification failure reason, e.g.:

In-toto verification for '/var/cache/apt/archives/partial/libcanlock3_3.0.2-2_amd64.deb' failed, reason was: Step 'rebuild' requires '1' link metadata file(s), found '0'. The 'NoFail' setting was configured, installation continues.

Suggestions to make it more helpful are highly appreciated.

Note that I intend to add more detailed documentation about the configuration options with #14 (as stated in the PR description).