Re: leaks in our only-signed-software fortress

To: <debian-devel@lists.debian.org>
Subject: Re: leaks in our only-signed-software fortress
From: Christoph Anton Mitterer <calestyo@scientia.net>
Date: Sat, 18 Feb 2012 16:23:16 +0200
Message-id: <[🔎] 121005584832f4d35086604441f2166a@scientia.net>
In-reply-to: <[🔎] 20120218123449.7e0ff2515d935a0b136b3eb4@debian.org>
References: <[🔎] 0763775752c72b696283491568e04907@scientia.net> <[🔎] 20120218113214.GA2013@jwilk.net> <[🔎] 20120218123449.7e0ff2515d935a0b136b3eb4@debian.org>

Am 18.02.2012 14:34, schrieb Neil Williams:

>- packages that eventually run some code which was downloaded
>unsecured.
>debootstrap used to be like that, pbuilder, and some others


Only a bug if this happens by default.

It is perfectly acceptable to support an option to disable SecureApt-

just as long as this is not the default. Tools in Debian need to work
with systems outside Debian and those do not necessarily *need*

SecureApt because the entire loop is internal or even local to theone

machine.

Agreed,.... but it WAS the default till recently,.. e.g. in debootstraptill 1.0.30, when my bug #560038 was fixed (thanks Joey :) ).And of course anything that used debootstrap (e.g. pbuilder, piupartsdo so) was automatically insecure, too. (till then)



Cheers,
Chris.

Reply to:

References:
- leaks in our only-signed-software fortress
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: leaks in our only-signed-software fortress
  - From: Jakub Wilk <jwilk@debian.org>
- Re: leaks in our only-signed-software fortress
  - From: Neil Williams <codehelp@debian.org>

Prev by Date: Re: leaks in our only-signed-software fortress
Next by Date: Re: leaks in our only-signed-software fortress
Previous by thread: Re: leaks in our only-signed-software fortress
Next by thread: Re: leaks in our only-signed-software fortress
Index(es):
- Date
- Thread