[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: leaks in our only-signed-software fortress

Am 18.02.2012 14:34, schrieb Neil Williams:
>- packages that eventually run some code which was downloaded
>debootstrap used to be like that, pbuilder, and some others

Only a bug if this happens by default.

It is perfectly acceptable to support an option to disable SecureApt -
just as long as this is not the default. Tools in Debian need to work
with systems outside Debian and those do not necessarily *need*
SecureApt because the entire loop is internal or even local to the one

Agreed,.... but it WAS the default till recently,.. e.g. in debootstrap till 1.0.30, when my bug #560038 was fixed (thanks Joey :) ). And of course anything that used debootstrap (e.g. pbuilder, piuparts do so) was automatically insecure, too. (till then)


Reply to: