Re: holes in secure apt
+++ Christoph Anton Mitterer [2014-06-12 01:06 +0200]:
> - [c]debootstrap
> I think they both default now to verify signatures (which is a good
> thing)... but IIRC, debootstrap also defaults to not verify anything...
> if the keyrings aren't installed - admittedly this is unlikely... but
I found that I could not get debootstrap to do verified downloads from
debian-ports with a debian-ports key. Whatever I did with apt-key, keys
and --keyring options, it just said that the key was unavailable and
stopped. Nice and secure, but useless, so I've had to use
sudo debootstrap --no-check-gpg unstable debian-arm64 http://ftp.debian-ports.org/debian
in the meantime.
So it does default to signed downloads and SFAIK will always do this
wether or not any keys are installed/available, unless explicitly disabled.
And yes I should report a bug but have failed to do so thus far.
If someone can tell me what I'm doing wrong that would improve the
security of this particular usage :-)
Principal hats: Linaro, Emdebian, Wookware, Balloonboard, ARM