Re: debootstrap InRelease file support
On Thu, Mar 3, 2016 at 21:12:06 -0500, Mathieu Trudel-Lapierre wrote:
> Hi,
>
> Looking into a bug in Ubuntu relating to an out of sync proxy, InRelease
> file support in debootstrap came up.
>
> I found out that debootstrap had already had such support in the past
> (specifically, in 1.0.47 and earlier) and that was removed by Julien
> Cristau because it also pulled in a fuller gpg, which comes with its own
> set of potential issues.
>
> Seems like we could well put it back in and just replace the bit that
> extracts the signed data in InRelease (same as is in Release) with using
> sed and grep to remove the signature text.
>
> I did the work and pushed it to git at
> http://anonscm.debian.org/cgit/d-i/debootstrap.git/log/?h=people/cyphermox/inrelease.
> As before, this would default to using the InRelease file from the
> archive first, if available, and otherwise fallback to using the usual
> Release + Release.gpg.
>
> Is there any interest for supporting this again? I would like some
> feedback on the code branch, then I'd be happy to merge it to master
> (but I would still need someone to sponsor the upload).
>
Hi Mathieu,
I had a look at your branch. As far as I can tell, that code will
happily accept an InRelease file that starts with correct signed bits,
with random unsigned data appended. That seems wrong.
Cheers,
Julien
Reply to: