Bug#661501: debootstrap: Missing keyring file should abort with error

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#661501: debootstrap: Missing keyring file should abort with error
From: Simon Ruderich <simon@ruderich.org>
Date: Mon, 27 Feb 2012 18:51:43 +0100
Message-id: <[🔎] 20120227175143.3155.25707.reportbug@nocreeps>
Reply-to: Simon Ruderich <simon@ruderich.org>, 661501@bugs.debian.org

Package: debootstrap
Version: 1.0.38
Severity: important
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Maintainer,

If the keyring file specified by a script with the keyring()
function doesn't exist, debootstrap prints only warning but the
installation continues.

As the script clearly mentions the keyring and thus relies on its
existence to verify the download, this should cause an error and
abort the debootstrap installation. Otherwise a misconfiguration
or incomplete installation (missing keyrings) can lead to
download and installation of unverified packages.

The following patch fixes this issue and aborts the installation:

    --- functions.orig	2012-02-27 18:42:58.000000000 +0100
    +++ functions	2012-02-27 18:43:02.000000000 +0100
    @@ -508,7 +508,7 @@
     		 "$relsigdest" "$reldest" || true) | read_gpg_status
     		progress 100 100 DOWNRELSIG "Downloading Release file signature"
     	elif [ -z "$DISABLE_KEYRING" ] && [ -n "$KEYRING_WANTED" ]; then
    -		warning KEYRING "Cannot check Release signature; keyring file not available %s" "$KEYRING_WANTED"
    +		error 1 KEYRING "Cannot check Release signature; keyring file not available %s" "$KEYRING_WANTED"
     	fi
     }

I'm no debootstrap expert so I may be overlooking something here,
if so please tell me. But I think --no-check-gpg already takes
care of the case if no verification is required.

Regards,
Simon

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages debootstrap depends on:
ii  wget  1.13.4-2

Versions of packages debootstrap recommends:
ii  debian-archive-keyring  2010.08.28
ii  gnupg                   1.4.11-3

debootstrap suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJPS8KlAAoJEJL+/bfkTDL5E4sP/0oOOVIENN7hmzhpkT3qw55W
QNUMrVB/yNI8PXvrtDvcPIH4bqs+XB8wacUhgsuTpEtNbyrEAn1ej5V3kVjpuUGy
m0fYyP7ak0JCQu2ZWDY8d99XPseskDJ3ZdJMAROw8SYTaATZ92zQ8DBe/1VHWIg9
P0o+lxDYvtiPb73sbOAtVRFGnu1YOBmeoAJHjk4/hBJ5I6ZzePRKKDoF0p8vrW3M
r9BAaDVwxLrq75hqtrH0nV4GS19hgiWxo7EI6cuaAtyOdxO774AjN2YkydViPzid
JP50dJAWbIow7DYF8cS1d+0JC3pWpKy+H9lG68/Q7f5E3D/IKW0mdOPwASYSUgzy
ac64+Gio5r0WC+Y3XT4iilMms2Na7J2j0ZK7L1ZlpwVg1sFmH4aQUNqAUR6jb70T
t25K4HqAkC1OtDf2Zha663Nu5TNiO3GgNn9AV+WB5mDauZZIzYAQWJ/JHMwvyYt6
x18TA1Umey1VeTdkcpbNhaM0qBom/HaO2fPlxDG9EEqKnUXAyhMQ5L2bQiOyiGGb
iZnEImOa2e/TlzII0hcUX/36p7+ai0ydfhFcVLZRT754PRBmPOn2L/mDOQxRryPn
QtxG888K9K91KnCif2dzOHT4Mejup7fVz0zKT1lLZoFpF3Nj2uj6+POTUw+/2Z59
s+E+OhWLTo9VcOe89tTi
=G5Se
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Re: Planning for final lenny point release (5.0.10)
Next by Date: Debian installer build: failed or old builds
Previous by thread: Processed: reassign 610524 to debian-installer
Next by thread: Bug#661620: Recent hd-media initrd lacks ext4 support; d-i cannot find iso on such fs
Index(es):
- Date
- Thread