[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debootstrap InRelease file support

On Thu, Mar  3, 2016 at 21:12:06 -0500, Mathieu Trudel-Lapierre wrote:

> Hi,
> 
> Looking into a bug in Ubuntu relating to an out of sync proxy, InRelease
> file support in debootstrap came up.
> 
> I found out that debootstrap had already had such support in the past
> (specifically, in 1.0.47 and earlier) and that was removed by Julien
> Cristau because it also pulled in a fuller gpg, which comes with its own
> set of potential issues.
> 
> Seems like we could well put it back in and just replace the bit that
> extracts the signed data in InRelease (same as is in Release) with using
> sed and grep to remove the signature text.
> 
> I did the work and pushed it to git at
> http://anonscm.debian.org/cgit/d-i/debootstrap.git/log/?h=people/cyphermox/inrelease.
> As before, this would default to using the InRelease file from the
> archive first, if available, and otherwise fallback to using the usual
> Release + Release.gpg.
> 
> Is there any interest for supporting this again? I would like some
> feedback on the code branch, then I'd be happy to merge it to master
> (but I would still need someone to sponsor the upload).
> 
Hi Mathieu,

I had a look at your branch.  As far as I can tell, that code will
happily accept an InRelease file that starts with correct signed bits,
with random unsigned data appended.  That seems wrong.

Cheers,
Julien
Reply to: