forcemerge 432309 610753 515938
severity 432309 important
stop
Hi.
AFAICS, all these issues (two of them actually reported by myself) are
the same, therefore forcemerging.
It seems that since 1.0.30:
* Recommend debian-archive-keyring, and if it is installed,
default to checking gpg signatures of the Release file against it
when bootstrapping sid, squeeze, wheezy, etch, and lenny.
Closes: #560038
the Release files (and all other downloaded files - is that true?) are
actually checked per default,... but ONLY of debian-archive-keyring is
installed, right?
I don't think however that this fully closes the issue reported in these
bugs.
Cause AFAIU, if debian-archive-keyring is not installed, it still
defaults not verify anything... and thereby possibly
installing/executing forged and evil packages.
True?
So I suggest that it should be changed the follwing way,...
that if no --keyring is given, neither debian-archive-keyring is
installed (and usable)... debootstrap should fail (unless --no-check-gpg
is given).
I don't think this will break a lot, as most systems will probably have
debian-archive-keyring installed.
Anyway it's just a recommends so it might not be the case and one
shouldn't let these systems open to attacks.
Cheers,
Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature