[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#837075: debootstrap: does not validate `suite` parameter against Release file

Package: debootstrap
Version: 1.0.81
Severity: normal

  debootstrap ${suite} ${suite} ${mirror}
will install whatever the mirror serves as dists/${suite}, even when that
is not the requested suite.  This can easily be checked with a few Redirect
statements in a .htaccess file:

  Redirect /debian-wrong/pool http://ftp.de.debian.org/debian/pool
  Redirect /debian-wrong/dists/stable http://ftp.de.debian.org/debian/dists/unstable

  debootstrap stable stable http://[...]/debian-wrong
will install unstable instead of stable.

debootstrap should validate that ${suite} is listed in the Release
file in either the Suite: or Codename: fields.  Additionally storing
the codename in a variable would also be useful for suite-specific
workarounds, such as [1].


  [1] <https://bugs.debian.org/810301#69>

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (300, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.6.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages debootstrap depends on:
ii  wget  1.18-2+b1

Versions of packages debootstrap recommends:
ii  debian-archive-keyring  2014.3
ii  gnupg                   2.1.14-5

debootstrap suggests no packages.

-- no debconf information

Reply to: