[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debootstrap InRelease file support

Julien Cristau writes:
> On Thu, Mar  3, 2016 at 21:12:06 -0500, Mathieu Trudel-Lapierre wrote:
>> Looking into a bug in Ubuntu relating to an out of sync proxy, InRelease
>> file support in debootstrap came up.
>> I found out that debootstrap had already had such support in the past
>> (specifically, in 1.0.47 and earlier) and that was removed by Julien
>> Cristau because it also pulled in a fuller gpg, which comes with its own
>> set of potential issues.
>> Seems like we could well put it back in and just replace the bit that
>> extracts the signed data in InRelease (same as is in Release) with using
>> sed and grep to remove the signature text.
>> I did the work and pushed it to git at
>> http://anonscm.debian.org/cgit/d-i/debootstrap.git/log/?h=people/cyphermox/inrelease.
>> As before, this would default to using the InRelease file from the
>> archive first, if available, and otherwise fallback to using the usual
>> Release + Release.gpg.
>> Is there any interest for supporting this again? I would like some
>> feedback on the code branch, then I'd be happy to merge it to master
>> (but I would still need someone to sponsor the upload).
> Hi Mathieu,
> I had a look at your branch.  As far as I can tell, that code will
> happily accept an InRelease file that starts with correct signed bits,
> with random unsigned data appended.  That seems wrong.

If you restore support for `InRelease` and want to use `gpgv`, please
split `InRelease` into two files, i.e. `Release` and `Release.gpg`, and
verify that the signature actually covers all of `Release`.

Calling `gpgv` on `InRelease` and then hoping to extract the right part
is quite error-prone. (As Julien notes and I agree.) Quite a lot of
tools in Debian got this wrong, see for example CVE-2013-1051.

As far as I understand, splitting `InRelease` into data and detached
signature is also what `apt` does these days.


Reply to: