Re: Packages that download/install unsecured files
By the way,.. a similar problem is also present in many other packages.
Let me just name a few concrete examples so that you get a feeling on
what I mean.
1) debootstrap/cdebootstrap
IIRC, only cdeboostrap requires a keyring per default (or did it always
use debian-archive-keyring?)
Anyway,... while deboostrap supports verifying signatures and specifying
a keyring,.. it doesn't to so per default.
Neither does it fail if just nothing is specified (it should only work
with verification, if some special parameter e.g. --dont-verify-sigs is
given).
I've filed a bug for this some time ago,... (and unfortunately a 2nd one
recently) but it does not seem that upstream is willing to change this
behaviour.
2) pbuilder and piuparts (and probably the debian buildd's, too) create
chroots to build the packages, and I think they're using one of the
aboves for this.
Per default they're not configured to use them (well at least
debootstrap) with signatures.
=> Building packages may lead to installation and execution of malicious
packages.
I've filed bugs for at least pbuilder and piuparts.
3) aptitude
Well I'm not sure here as I haven't had the time to read the code.
For some actions (install/upgrade/dist-upgrade) it uses secure-apt as it
simply uses apt-get (IIRC).
But what about actions not provided by apt-get, like aptitude download
<package>.
So far I was not able to find out whether this uses secure apt or not.
4) apt-file (which I like very much)
The Contents files are not yet signed AFAIK,.. and thus it cannot do any
verification.
Cheers,
Chris.
Reply to: