[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#733179: marked as done (debootstrap should abort if the keyring is missing, not just warn)



Your message dated Mon, 18 May 2015 12:33:54 +0000
with message-id <E1YuKF0-0003kC-5r@franck.debian.org>
and subject line Bug#661501: fixed in debootstrap 1.0.69
has caused the Debian Bug report #661501,
regarding debootstrap should abort if the keyring is missing, not just warn
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
661501: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661501
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: debootstrap
Version: 1.0.55
Tags: patch, security

The keyring might not be available on non-Debian distros, so that warning should instead be a spectacular fail instead of risking running arbitrary code. Might not be a very serious issue for Debian, but I tagged it as 'security' anyway. A patch is attached.


P.S.

c72e1705 (Joey Hess            2011-03-25 14:35:02 -0400  524)          warning KEYRING "Cannot check Release signature; keyring file not available %s" "$KEYRING_WANTED"

I don't want to bash people for this, but I feel security isn't being taken seriously; see bug #722906, look how the package manager gladly goes about building unverified packages and probably a bunch of other things I might have not noticed yet and make me want to abandon Debian completely on machines I admin.

    Apologizing if that was too much acid,
    Eduard
From 8b02a8dcdd315b85fbc8246ae0265faed1828ab8 Mon Sep 17 00:00:00 2001
From: Eduard - Gabriel Munteanu <edgmnt@gmail.com>
Date: Thu, 26 Dec 2013 20:39:36 +0200
Subject: [PATCH] Abort if keyring is missing, don't just warn.

Signed-off-by: Eduard - Gabriel Munteanu <edgmnt@gmail.com>
---
 functions | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/functions b/functions
index a2e1431..69d8ea7 100644
--- a/functions
+++ b/functions
@@ -521,7 +521,7 @@ download_release_sig () {
 		 "$relsigdest" "$reldest" || true) | read_gpg_status
 		progress 100 100 DOWNRELSIG "Downloading Release file signature"
 	elif [ -z "$DISABLE_KEYRING" ] && [ -n "$KEYRING_WANTED" ]; then
-		warning KEYRING "Cannot check Release signature; keyring file not available %s" "$KEYRING_WANTED"
+		error 1 NOKEYRING "Cannot check Release signature; keyring file not available %s" "$KEYRING_WANTED"
 	fi
 }
 
-- 
1.8.3.2


--- End Message ---
--- Begin Message ---
Source: debootstrap
Source-Version: 1.0.69

We believe that the bug you reported is fixed in the latest version of
debootstrap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 661501@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated debootstrap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 18 May 2015 14:07:43 +0200
Source: debootstrap
Binary: debootstrap debootstrap-udeb
Architecture: source all
Version: 1.0.69
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Christian Perrier <bubulle@debian.org>
Description:
 debootstrap - Bootstrap a basic Debian system
 debootstrap-udeb - Bootstrap the Debian system (udeb)
Closes: 661501 709751 733179 734743 768445 774752 775454 785276
Changes:
 debootstrap (1.0.69) unstable; urgency=medium
 .
   [ Cyril Brulebois ]
   * Make sure to deduplicate package list in download_release to avoid
     issues while counting downloaded packages. The failure path could lead
     to printing some strange integer (Closes: #709751, #768445, #785276,
     #774752).
     This was reported to mostly happen whenever --no-resolve-deps is used.
   * Add support for --force-check-gpg so that one can programmatically
     make sure keyring checks are used and that no fallback to an https
     mirror happens (Closes: #661501, #733179, #775454).
   * Switch default mirror from ftp.us.debian.org to the new, official
     http redirector service: httpredir.debian.org
   * Make it possible to override the MAKEDEV variable (Closes: #734743).
     Thanks, Wookey!
 .
   [ Christian Perrier ]
   * Update Standards to 3.9.6 (checked)
Checksums-Sha1:
 65d3b676c8e0e5aa861f487da22b29efd15d7252 1775 debootstrap_1.0.69.dsc
 7faebd30e16d9f73c6ab9400b5bc546030093abe 61843 debootstrap_1.0.69.tar.gz
 1f0bfa18e6db120447732ed255867f45171508f8 63982 debootstrap_1.0.69_all.deb
 cd8e59c30a9a64963a786cadcd404744e9a02634 18532 debootstrap-udeb_1.0.69_all.udeb
Checksums-Sha256:
 eb45b1232b07d5c9daac42bf6622bb1a63925575ce7cc941a13136ae90c408ed 1775 debootstrap_1.0.69.dsc
 146aac21c3121b0af09fdc841e4fd3a13ce9f5d990f3ca1b56a61e61d77dbe11 61843 debootstrap_1.0.69.tar.gz
 958950c991130e67094da088b6f7b31463c80bf7caad1b2d876a8a35ddc76883 63982 debootstrap_1.0.69_all.deb
 439821eedb0881a2cb7e0cbb3f689543b47fdd3c2576025f70b55f6f4a41aa18 18532 debootstrap-udeb_1.0.69_all.udeb
Files:
 7f71fa810e7c28e9f0c88d7c8895268c 1775 admin extra debootstrap_1.0.69.dsc
 ed089a169da9955ad87e310de3e14a91 61843 admin extra debootstrap_1.0.69.tar.gz
 4dd775557649f9f3dfb5d3c4de01b077 63982 admin extra debootstrap_1.0.69_all.deb
 98a261b981815b4657afa449ae21a086 18532 debian-installer extra debootstrap-udeb_1.0.69_all.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVWdkZAAoJEIcvcCxNbiWo8fIP/083YJouacvZMkukUxbA8UNr
IhV+gd/WYCjYWmn2xBDgngkuDor+2wUz11Jjp2Dew8qn0Q9faBwPyeVmdn3d3NiC
9c/HgKXvgPWXr+LLjosdls6yBR7/bZzcyYtKeCkPlNPxUmnAnequ2zvx5mYpWbwZ
oWfSJTc/CfXdSQGSCPHqqZB8fZwvDU+bUTdrMhuTgLVPUO7xdYSfLnRyRIO4FJc5
c/5/mkBIhTuy8GHOOydVjpyZEnPvGABwdUSTvGGjnJb+NCjYYy/a4Iw3xy5fRSRF
V66FRtcmyiOvKe6gx/cUgHwe3G7olf21KTt4FOG8U0guf/avTcG9kWGGU8GfQMYN
St4ouhUFw6ReUy50+WbT5elm0mVxFvtvAdOTRINSe+eVG2IsR+w3/kuqKW3xOiWR
Nkg59xNP7x8QDUzJuLcEzE2LZ3L9JxdvkBO8fM4iO+ms7ZW5BoWW+aHkxOnONEpL
cgk427FNwK+7k7OjaEN4kZh5Iz4emq/8jZMBKpLlfiPtHhe990CRTC02/3YPDsF4
MH3aw7niU5PGF/a/Fr83q9e7TfPMVr0w5s70rGBx0nTUAX8KDIaMgcoHgq+sWCXU
y9XaV0EUEwRTstVmGJpbTpMs6mDQyHvZaposAAa8faMldii7a9kt/qu7qPQvriMp
jamIVRGrVdL/rq+hjEKw
=xYi/
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: