search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.44k stars 1.04k forks source link

Unsigned Debian repository packages #2068

Closed rkuijt closed 4 months ago

rkuijt commented 1 year ago

To my understanding the packages provided for Debian based operating systems are unsigned. The installer provided here works around this by adding the [trusted=yes] parameter to the repository configuration.

From the docs of sources.list:

Trusted (trusted) is a tri-state value which defaults to APT deciding if a source is considered trusted or if warnings should be raised before e.g. packages are installed from this source. This option can be used to override that decision. The value yes tells APT always to consider this source as trusted, even if it doesn't pass authentication checks. It disables parts of apt-secure(8), and should therefore only be used in a local and trusted context (if at all) as otherwise security is breached. The value no does the opposite, causing the source to be handled as untrusted even if the authentication checks passed successfully. The default value can't be set explicitly.

I would expect a security centered project to sign the release packages instead of disabling these validation features. I'm curious why this solution is chosen instead. Do you think the repositories should be signed? Are there any future plans for that?

atomicturtle commented 4 months ago

Should be good to go now, but you may need to run the atomic installer again to update your repo configs to use the new destination.