Re: holes in secure apt

To: debian-devel@lists.debian.org
Cc: 749795@bugs.debian.org
Subject: Re: holes in secure apt
From: Thorsten Glaser <tg@debian.org>
Date: Thu, 12 Jun 2014 10:30:48 +0200
Message-id: <[🔎] alpine.DEB.2.10.1406121024050.17794@tglase.lan.tarent.de>
In-reply-to: <[🔎] 1402527988.4739.34.camel@heisenberg.scientia.net>
References: <[🔎] 1402527988.4739.34.camel@heisenberg.scientia.net>

On Thu, 12 Jun 2014, Christoph Anton Mitterer wrote:

> Anyone who believed in getting trusted sources might have been attacked
> with forged packages, and even the plain build of such package might
> have undermined users' security integrity.

Then I believe Debian itself may be undermined.

> The same is the case with all debian build systems which probably rely
> on secure APT.

A buildd (sbuild) or cowbuilder is set up using the normal debootstrap
process with --variant=buildd using the Debian archive keyring of the
host system to validate. (This works.) Then, /etc/apt/sources.list is
written, and APT defaults to secure. The debian-archive-keyring package
is Essential, so this is always installed during the bootstrap. Porters
add debian-ports-archive-keyring (debootstrap can do that).

The buildd-related software (and most people when doing manual builds
with cowbuilder) uses “apt-get source foo” to download the file, fully
assuming that apt-get ensures validation, so no “dscverify” is run on
the sources downloaded by apt. (If someone uses dget, either dget is
new enough to call dscverify, or they had better be doing that by hand.)

The build process inside the chroot of cowbuilder also calls dscverify,
but as debian-keyring (distinct from debian-archive-keyring) is never
installed, it errors out always, which is just ignored. (That being
said, when I was doing porter builds/uploads with cowbuilder and used
dget+dscverify to retrieve the source, even the debian-keyring package
in sid was sometimes not up-to-date enough to have the new keys the
maintainers used to sign their packages in it. Since the proper buildd
infrastructure does not use this but relies on SecureAPT to validate
the files it downloads, this is understandable.)

This means that, if there was ever a chance that 'apt-get source foo'
would not check the integrity of the files it downloaded against
Sources.gz + Release{,.gpg} we’re in pretty deep shit. (Well, there
was, before SecureAPT was enacted, but that’s outside of the scope
of this.)

bye,
//mirabilos
-- 
“ah that reminds me, thanks for the stellar entertainment that you and certain
other people provide on the Debian mailing lists │ sole reason I subscribed to
them (I'm not using Debian anywhere) is the entertainment factor │ Debian does
not strike me as a place for good humour, much less German admin-style humour”

Reply to:

Follow-Ups:
- Re: holes in secure apt
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

References:
- holes in secure apt
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Re: holes in secure apt
Next by Date: HTTPS everywhere! (was: holes in secure apt)
Previous by thread: Re: sofftware outside Debian (Re: holes in secure apt)
Next by thread: Re: holes in secure apt
Index(es):
- Date
- Thread