[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Suggestion for the woody-secured apt problem


I have followed the problem with the woody-secured from outside, without
participating on any of the discusions, so maybe I have misunderstood
something, if so, sorry.

Well, I think that the first problem we have is that the solution that we
have now implemented on debian-cd, the one that was sugested as a consensus
is not backwards compatible with the apt that we have on potato, so It
wouldn't be easy for people running potato to upgrade to woody, at least not
as easy as it should be, they should at least upgrade to an apt compatible
with this solution using dpkg by hand, and then to the usual apt-cdrom add
and apt-get dist-upgrade and all that.

For me and I suppose that for some other people (maybe this is the reason
why the apt guys don't like this solution) this is not good. So... thinking
about this and not being an apt or debian-cd guru, I have come to a not too
pretty but working solution that I'd like to propose here and which achieves
this points:

1- It is backwards compatible with the apt on potato, this means that it is
   posible to upgrade from potato to this woody cds using the apt we have
   now on potato (doesn't break apt at all).

2- It uses the same structure that was sugested as a consensus on the
   previous discusion that took place on how to secure the cds.

Well, I don't know if the apt guys are gonna like this and if they'll feel
like implementing this into apt, but I think it is important to have a
secured cds, and I think it is about time we all make this posible, wether
it is using this scheme or a better one that might be sugested.

The thing is like this:

Looking at the old apt code on potato one can see this little piece of code
on apt-cdrom.cc:

bool FindPackages(string CD,vector<string> &List,vector<string> &SList,
                  string &InfoDir,unsigned int Depth = 0)
   static ino_t Inodes[9];
   if (Depth >= 7)
      return true;

There is a limit on the depth it scans, so... as one of the problems that we
were having was that the old apt-cdrom was finding our woody-secured
structure, I thought, ok we can hide it, and this limit gives us the method.

Ok, I know this is awful, to burry the structure so deep that the old apt
cannot find it, I know, when I commented this on #debian-bugs people also
told me so, well, I cannot thing about any other way of hiding our
structure, but maybe some apt guru can help on this.

But before you stop reading this saying that what I propose is lame and all
that, let me finish explaining how things would look, at the end I think it
doesn't look too bad, well, at least to me.

The structure would go under a meaningful directory path, well the one that
I have came across is at dists/woody/security/signed/info

I don't think this sounds too bad, but of course any other place would be as
good as this and someone may sugest a better place than this one.

If you are asking yourself if it works, well, I have built some images using
this method and I have got images ready for you to see or test, the iso
files, the mounted iso files and the patch against the cvs version of
debian-cd that I did to implement this are available via ftp or http at
orca.trasno.net I think the bandwith there should be good if somebody wants
to download anything to test them. I have run the tests here myself on a
potato system and this were the results:

pul:~# apt-cdrom add
Using CD-ROM mount point /cdrom/
Unmounting CD-ROM
Please insert a Disc in the drive and press enter
Mounting CD-ROM
Identifying.. [1595e285b699d8c97a7e95d42f1374cb-2]
Scanning Disc for index files..  Found 6 package indexes and 0 source
This Disc is called:
 'Debian GNU/Linux 2.3 _Woody_ - Unofficial i386 Binary-1 (20010720)'
Reading Package Indexes... Done
Wrote 821 records.
Writing new source list
Source List entries for this Disc are:
deb cdrom:[Debian GNU/Linux 2.3 _Woody_ - Unofficial i386 Binary-1
unstable contrib main non-US/contrib non-US/main non-US/non-free non-free
Repeat this process for the rest of the CDs in your set.
pul:~# mount /cdrom
pul:~# ls -l /cdrom/dists/woody/security/signed/info/
total 48
-r--r--r--    1 root     root        11241 Jul 20 12:51 Release
-r--r--r--    1 root     root          240 Jul 20 12:51 Release.gpg
-r--r--r--    1 root     root          350 Jul 20 13:00 TRANS.TBL
dr-xr-xr-x    4 root     root         4096 Jul 20 12:51 contrib
-r--r--r--    1 root     root        12001 Jul 20 12:51 files.list.gz
dr-xr-xr-x    4 root     root         4096 Jul 20 12:51 main
dr-xr-xr-x    5 root     root         4096 Jul 20 12:51 non-US
dr-xr-xr-x    4 root     root         4096 Jul 20 12:51 non-free
pul:~# ls -l /cdrom/dists/woody/security/signed/info/main/source/
total 540
-r--r--r--    1 root     root       541739 Jul 20 12:51 Sources.gz
-r--r--r--    1 root     root           52 Jul 20 13:00 TRANS.TBL
pul:~# cat /etc/apt/sources.list
deb cdrom:[Debian GNU/Linux 2.3 _Woody_ - Unofficial i386 Binary-1
(20010720)]/ unstable contrib main non-US/contrib non-US/main
non-US/non-free non-free

Well, I think that's all I have to say, I'd like to hear your opinion about
all this and I'd like to see woody having a secured cds. Hope this helps a
bit ariving to such a situation.

Manty/BestiaTester -> http://manty.net

Reply to: