--- Begin Message ---
Package: piuparts
Version: 0.36
Severity: important
Hi.
debootstrap (unlike cdebootstrap IIRC) does not check signatures on
any packages per default, but only when the "--keyring" option is used.
This has the potential security problem, that users are building (and
thus executing code) that is not verified.
I would suggest that you at least add a:
DEBOOTSTRAPOPTS="--keyring=/set-this-file" to the default template.
But this still is,.. well not a good solution, so I'd suggest the following:
1) Add options to piuparts itself:
- A mandatory --keyring= option to specify the keyring to be used and
that is passed on to [c]debootstrab
- A option like --do-not-verify-signatures (including some warnings
that this is dangerous),.. and only if this is set,... --keyring may
be omitted.
2) If nothing off the above is specified, piuparts should fail.
I'm not sure about the following:
- As piuparts installs stuff inside the already bootstrapped chroot,
there may be additional possibilities for insecure packages. But I
assume you use always apt there, right? And this should use keys,..
well at least with deboostrap they're copied into the chroot
(IIRC),... not sure about cdebootstrap.
- Is this already a problem with current build daemons or whatever?
And should we inform those guys on this problem?
Regards,
Chris.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages piuparts depends on:
ii apt 0.7.23.1 Advanced front-end for dpkg
ii debootstrap 1.0.15 Bootstrap a basic Debian system
ii lsb-release 3.2-23 Linux Standard Base
version report
ii lsof 4.81.dfsg.1-1 List open files
ii python 2.5.4-2 An interactive high-level
object-o
ii python-debian 0.1.14 Python modules to work
with Debian
piuparts recommends no packages.
Versions of packages piuparts suggests:
ii ghostscript 8.70~dfsg-2+b1 The GPL Ghostscript
PostScript/PDF
pn python-rpy <none> (no description available)
-- no debconf information
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
--- End Message ---
--- Begin Message ---
Source: debootstrap
Source-Version: 1.0.30
We believe that the bug you reported is fixed in the latest version of
debootstrap, which is due to be installed in the Debian FTP archive:
debootstrap-udeb_1.0.30_all.udeb
to main/d/debootstrap/debootstrap-udeb_1.0.30_all.udeb
debootstrap_1.0.30.dsc
to main/d/debootstrap/debootstrap_1.0.30.dsc
debootstrap_1.0.30.tar.gz
to main/d/debootstrap/debootstrap_1.0.30.tar.gz
debootstrap_1.0.30_all.deb
to main/d/debootstrap/debootstrap_1.0.30_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 560038@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joey Hess <joeyh@debian.org> (supplier of updated debootstrap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 26 Apr 2011 17:10:00 -0400
Source: debootstrap
Binary: debootstrap debootstrap-udeb
Architecture: source all
Version: 1.0.30
Distribution: unstable
Urgency: low
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Joey Hess <joeyh@debian.org>
Description:
debootstrap - Bootstrap a basic Debian system
debootstrap-udeb - Bootstrap the Debian system (udeb)
Closes: 560038 621657 624229
Changes:
debootstrap (1.0.30) unstable; urgency=low
.
[ Joey Hess ]
* Recommend debian-archive-keyring, and if it is installed,
default to checking gpg signatures of the Release file against it
when bootstrapping sid, squeeze, wheezy, etch, and lenny.
Closes: #560038
* Add --no-check-gpg option that can be used to disable release file
verification. Closes: #624229
* Needs base-installer 1.117.
* Add a warning message if the keyring file is not available, and
--no-check-gpg is not specified.
* Clear all global variables used for options, so that unclean
environment doesn't break debootstrap. Closes: #621657
* Removed the --boot-floppies switch and mode. Assuming this has
not been used in 10 years.
.
[ Colin Watson ]
* Resolve dependencies from all requested components (LP: #740167).
Checksums-Sha1:
420f931b7622110ab22e0ab01e1a7e485944306f 1684 debootstrap_1.0.30.dsc
7dad785b9a1078b78fabc9607e978eb66c2f5dbc 54817 debootstrap_1.0.30.tar.gz
b4f0ab822cffc5ce19f97285e8eaa041b9a27788 57146 debootstrap_1.0.30_all.deb
3263df5786d9933cd0fce02237bc7938e6070c69 18608 debootstrap-udeb_1.0.30_all.udeb
Checksums-Sha256:
cfca953ff60fc3c853cea29370606d89869370e82a7cf9de1a71a7c0c59ae04a 1684 debootstrap_1.0.30.dsc
c475a42ec3387b06623da132aa93d7bf0d8508ace08c2111287553e3a06f222b 54817 debootstrap_1.0.30.tar.gz
dd3d0be5ec277b643e6530fcc537361536e6b662419db979604b3879f229e2cc 57146 debootstrap_1.0.30_all.deb
fa7027487c122a97c0331922107691269e7dccf348f8de4f4501489958f172fd 18608 debootstrap-udeb_1.0.30_all.udeb
Files:
81e2062dade9633b55b5df27c8a30031 1684 admin extra debootstrap_1.0.30.dsc
6791326a63a0a31b92e0259409f8c95a 54817 admin extra debootstrap_1.0.30.tar.gz
4f985216ad30f1c25f5afb038c5f8daa 57146 admin extra debootstrap_1.0.30_all.deb
d87b35670aa735ae5b7d3f8bf1b76245 18608 debian-installer extra debootstrap-udeb_1.0.30_all.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIVAwUBTbc09ckQ2SIlEuPHAQiyzg/+L7s4Itlzr2Y9RdqrORHvUULoW6w7KI8J
j9L6+mvPz5cws/z9KFWzDBZZvXSoL2bEi4WbphtDhfp0lgEKa7q+aI+TJxkANW+V
QnZa8thCpEKB7BoOEDM97Q13FHk3gL51puH7Yc+mGkxFp52DGYeWPESGWYIsU+Ax
gmjMmVclhsPIDdmT2RYH4m6xXUNTDlbfx4fs630C1QkZ0INN+gvTx7UJDyW1/NdJ
f5w8m83vXnXZjoHS43n1afz1j7xFuyqXeFM+2cW9Aekofll6hfGWsul2L3qabLJ2
Vp1y4lPApY+T5WSAWizb8ma5DavzVABFcfYXgu2tCnJL7QhxgKywFV2zUUOdc48q
TT15r39xyXrlVrLyLGtCDvPTw5iAdjJvil0g3Exnbde/PBI4MvTPHaXSdRxV27cG
F3BR/eyAfpdYYAeP7vYpefEw/6GxrWcS7uWOx8oPSN1wA7bsEzJW5UVrQyGSbGhx
wWQsCGSfZCxFBmXri2y65BaPOQlfCOu+QSN9C0utSBZQG/jsYpfb1/ykI0zLo+9/
wWNY5TrRtcMBq1YUW63vpWAvF4jeGn22b0tE3VC0vS/6WAc/eAahIK69WBl2OF8I
0YfD18qFN4TzWc9U4+TvssFTi9bqIiE84bImTETvyB6MNK0BM9UbFNnOM/nTufBb
qRxNgIMknak=
=/crh
-----END PGP SIGNATURE-----
--- End Message ---