Bug#837075: debootstrap: does not validate `suite` parameter against Release file
Package: debootstrap
Version: 1.0.81
Severity: normal
Running
debootstrap ${suite} ${suite} ${mirror}
will install whatever the mirror serves as dists/${suite}, even when that
is not the requested suite. This can easily be checked with a few Redirect
statements in a .htaccess file:
Redirect /debian-wrong/pool http://ftp.de.debian.org/debian/pool
Redirect /debian-wrong/dists/stable http://ftp.de.debian.org/debian/dists/unstable
Then
debootstrap stable stable http://[...]/debian-wrong
will install unstable instead of stable.
debootstrap should validate that ${suite} is listed in the Release
file in either the Suite: or Codename: fields. Additionally storing
the codename in a variable would also be useful for suite-specific
workarounds, such as [1].
Ansgar
[1] <https://bugs.debian.org/810301#69>
-- System Information:
Debian Release: stretch/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (300, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.6.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages debootstrap depends on:
ii wget 1.18-2+b1
Versions of packages debootstrap recommends:
ii debian-archive-keyring 2014.3
ii gnupg 2.1.14-5
debootstrap suggests no packages.
-- no debconf information
Reply to: