[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: holes in secure apt

+++ Christoph Anton Mitterer [2014-06-12 01:06 +0200]:
> - [c]debootstrap
> I think they both default now to verify signatures (which is a good
> thing)... but IIRC, debootstrap also defaults to not verify anything...
> if the keyrings aren't installed - admittedly this is unlikely... but
> possible...

I found that I could not get debootstrap to do verified downloads from
debian-ports with a debian-ports key. Whatever I did with apt-key, keys
and --keyring options, it just said that the key was unavailable and
stopped. Nice and secure, but useless, so I've had to use 
sudo debootstrap --no-check-gpg unstable debian-arm64 http://ftp.debian-ports.org/debian
in the meantime.

So it does default to signed downloads and SFAIK will always do this
wether or not any keys are installed/available, unless explicitly disabled.

And yes I should report a bug but have failed to do so thus far.

If someone can tell me what I'm doing wrong that would improve the
security of this particular usage :-)

Principal hats:  Linaro, Emdebian, Wookware, Balloonboard, ARM

Reply to: