Bug#703146: Better debootstrap InRelease handling fix
Le mercredi 27 mars 2013 à 13:32 +0100, Didier 'OdyX' Raboud a écrit :
> Le mercredi, 27 mars 2013 12.59:15, Benjamin Cama a écrit :
> > attached version fix both problems (and is based on latest master, after
> > Julien disabled InRelease support). Please not that it will still print
> > what's _before_ the BEGIN header, if present (there shouldn't be
> > anything, but if you really want to be picky…)
>
> Well, yes, we want to be picky: the whole point of checking the signature is
> to avoid letting unsigned content be considered valid by debootstrap / apt /
> etc. See CVE-2013-1051.
OK, I understand. With my patch, someone could sneak in an unsigned
Release before the signed one, right? I don't know if apt would parse
it, but it's a problem.
> That said, I think I would prefer a gpgv patch to only output verified content
> than such sed hackery (although nice).
Yes, this would be a far better solution. But a quick look at gnupg
doesn't make that look easy.
I'll give up on this solution for now, and let InRelease files
unhandled.
Thanks for the comments,
--
Benjamin Cama <benjamin.cama@telecom-bretagne.eu>
Reply to: