[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#560038: marked as done (please make validating signatures the default, if /usr/share/keyrings/debian-archive-keyring.gpg is available)



Your message dated Tue, 26 Apr 2011 21:17:21 +0000
with message-id <E1QEpdJ-0003Uq-5L@franck.debian.org>
and subject line Bug#560038: fixed in debootstrap 1.0.30
has caused the Debian Bug report #560038,
regarding please make validating signatures the default, if /usr/share/keyrings/debian-archive-keyring.gpg is available
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
560038: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560038
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: piuparts
Version: 0.36
Severity: important

Hi.


debootstrap (unlike cdebootstrap IIRC) does not check signatures on any packages per default, but only when the "--keyring" option is used.

This has the potential security problem, that users are building (and thus executing code) that is not verified.

I would suggest that you at least add a:
DEBOOTSTRAPOPTS="--keyring=/set-this-file" to the default template.

But this still is,.. well not a good solution, so I'd suggest the following:
1) Add options to piuparts itself:
- A mandatory --keyring= option to specify the keyring to be used and that is passed on to [c]debootstrab - A option like --do-not-verify-signatures (including some warnings that this is dangerous),.. and only if this is set,... --keyring may be omitted.

2) If nothing off the above is specified, piuparts should fail.


I'm not sure about the following:
- As piuparts installs stuff inside the already bootstrapped chroot, there may be additional possibilities for insecure packages. But I assume you use always apt there, right? And this should use keys,.. well at least with deboostrap they're copied into the chroot (IIRC),... not sure about cdebootstrap.

- Is this already a problem with current build daemons or whatever? And should we inform those guys on this problem?


Regards,
Chris.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages piuparts depends on:
ii  apt                        0.7.23.1      Advanced front-end for dpkg
ii  debootstrap                1.0.15        Bootstrap a basic Debian system
ii lsb-release 3.2-23 Linux Standard Base version report
ii  lsof                       4.81.dfsg.1-1 List open files
ii python 2.5.4-2 An interactive high-level object-o ii python-debian 0.1.14 Python modules to work with Debian

piuparts recommends no packages.

Versions of packages piuparts suggests:
ii ghostscript 8.70~dfsg-2+b1 The GPL Ghostscript PostScript/PDF
pn  python-rpy                <none>         (no description available)

-- no debconf information

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.




--- End Message ---
--- Begin Message ---
Source: debootstrap
Source-Version: 1.0.30

We believe that the bug you reported is fixed in the latest version of
debootstrap, which is due to be installed in the Debian FTP archive:

debootstrap-udeb_1.0.30_all.udeb
  to main/d/debootstrap/debootstrap-udeb_1.0.30_all.udeb
debootstrap_1.0.30.dsc
  to main/d/debootstrap/debootstrap_1.0.30.dsc
debootstrap_1.0.30.tar.gz
  to main/d/debootstrap/debootstrap_1.0.30.tar.gz
debootstrap_1.0.30_all.deb
  to main/d/debootstrap/debootstrap_1.0.30_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 560038@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joey Hess <joeyh@debian.org> (supplier of updated debootstrap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 26 Apr 2011 17:10:00 -0400
Source: debootstrap
Binary: debootstrap debootstrap-udeb
Architecture: source all
Version: 1.0.30
Distribution: unstable
Urgency: low
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Joey Hess <joeyh@debian.org>
Description: 
 debootstrap - Bootstrap a basic Debian system
 debootstrap-udeb - Bootstrap the Debian system (udeb)
Closes: 560038 621657 624229
Changes: 
 debootstrap (1.0.30) unstable; urgency=low
 .
   [ Joey Hess ]
   * Recommend debian-archive-keyring, and if it is installed,
     default to checking gpg signatures of the Release file against it
     when bootstrapping sid, squeeze, wheezy, etch, and lenny.
     Closes: #560038
   * Add --no-check-gpg option that can be used to disable release file
     verification. Closes: #624229
   * Needs base-installer 1.117.
   * Add a warning message if the keyring file is not available, and
     --no-check-gpg is not specified.
   * Clear all global variables used for options, so that unclean
     environment doesn't break debootstrap. Closes: #621657
   * Removed the --boot-floppies switch and mode. Assuming this has
     not been used in 10 years.
 .
   [ Colin Watson ]
   * Resolve dependencies from all requested components (LP: #740167).
Checksums-Sha1: 
 420f931b7622110ab22e0ab01e1a7e485944306f 1684 debootstrap_1.0.30.dsc
 7dad785b9a1078b78fabc9607e978eb66c2f5dbc 54817 debootstrap_1.0.30.tar.gz
 b4f0ab822cffc5ce19f97285e8eaa041b9a27788 57146 debootstrap_1.0.30_all.deb
 3263df5786d9933cd0fce02237bc7938e6070c69 18608 debootstrap-udeb_1.0.30_all.udeb
Checksums-Sha256: 
 cfca953ff60fc3c853cea29370606d89869370e82a7cf9de1a71a7c0c59ae04a 1684 debootstrap_1.0.30.dsc
 c475a42ec3387b06623da132aa93d7bf0d8508ace08c2111287553e3a06f222b 54817 debootstrap_1.0.30.tar.gz
 dd3d0be5ec277b643e6530fcc537361536e6b662419db979604b3879f229e2cc 57146 debootstrap_1.0.30_all.deb
 fa7027487c122a97c0331922107691269e7dccf348f8de4f4501489958f172fd 18608 debootstrap-udeb_1.0.30_all.udeb
Files: 
 81e2062dade9633b55b5df27c8a30031 1684 admin extra debootstrap_1.0.30.dsc
 6791326a63a0a31b92e0259409f8c95a 54817 admin extra debootstrap_1.0.30.tar.gz
 4f985216ad30f1c25f5afb038c5f8daa 57146 admin extra debootstrap_1.0.30_all.deb
 d87b35670aa735ae5b7d3f8bf1b76245 18608 debian-installer extra debootstrap-udeb_1.0.30_all.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIVAwUBTbc09ckQ2SIlEuPHAQiyzg/+L7s4Itlzr2Y9RdqrORHvUULoW6w7KI8J
j9L6+mvPz5cws/z9KFWzDBZZvXSoL2bEi4WbphtDhfp0lgEKa7q+aI+TJxkANW+V
QnZa8thCpEKB7BoOEDM97Q13FHk3gL51puH7Yc+mGkxFp52DGYeWPESGWYIsU+Ax
gmjMmVclhsPIDdmT2RYH4m6xXUNTDlbfx4fs630C1QkZ0INN+gvTx7UJDyW1/NdJ
f5w8m83vXnXZjoHS43n1afz1j7xFuyqXeFM+2cW9Aekofll6hfGWsul2L3qabLJ2
Vp1y4lPApY+T5WSAWizb8ma5DavzVABFcfYXgu2tCnJL7QhxgKywFV2zUUOdc48q
TT15r39xyXrlVrLyLGtCDvPTw5iAdjJvil0g3Exnbde/PBI4MvTPHaXSdRxV27cG
F3BR/eyAfpdYYAeP7vYpefEw/6GxrWcS7uWOx8oPSN1wA7bsEzJW5UVrQyGSbGhx
wWQsCGSfZCxFBmXri2y65BaPOQlfCOu+QSN9C0utSBZQG/jsYpfb1/ykI0zLo+9/
wWNY5TrRtcMBq1YUW63vpWAvF4jeGn22b0tE3VC0vS/6WAc/eAahIK69WBl2OF8I
0YfD18qFN4TzWc9U4+TvssFTi9bqIiE84bImTETvyB6MNK0BM9UbFNnOM/nTufBb
qRxNgIMknak=
=/crh
-----END PGP SIGNATURE-----



--- End Message ---

Reply to: