Bug#1003032: debootstrap: harden signature checking
Package: debootstrap
Version: 1.0.126+nmu1
Severity: normal
Tags: security
Hey there.
As far as I understood it, debootstrap defaults neither to
--no-check-gpg nor to --force-check-gpg, but instead, if a
keyring is speicified for some distribution and if that file
is available, it uses (and verifies) these (and hopefully
fails if anything fails later on).
However, it also:
- falls back to https (?)
- correct me if I'm wrong, falls back to no verification if
no key file was specified for the distribution or the file
wasn't found
That seems to make to too easy to accidentally install
untrusted code.
https is generally questionable, given the broken CA-model.
There are some 150 CAs in the Mozilla CA bundle, and on top
of these thousands of intermediate CAs. It seems far too
easy for an attacker to fake a certificate if that's really
desired.
So my suggestion would be:
- defaut to --force-check-gpg
- add some --check-gpg-but-fallback-to-https option
that is the current behaviour
- if either the /usr/share/debootstrap/scripts/ for some
distro doesn't name a keyring file or that file isn't
readable, fail unless --no-check-gpg is given.
Yes, that also includes failure if
--check-gpg-but-fallback-to-https was given because likely
the keyring file should be just there.
Cheers,
Philippe
Reply to: