Re: holes in secure apt

To: debian-devel@lists.debian.org
Subject: Re: holes in secure apt
From: Wookey <wookey@wookware.org>
Date: Thu, 12 Jun 2014 19:43:56 +0100
Message-id: <[🔎] 20140612184356.GN10647@stoneboat.aleph1.co.uk>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 1402527988.4739.34.camel@heisenberg.scientia.net>
References: <[🔎] 1402527988.4739.34.camel@heisenberg.scientia.net>

+++ Christoph Anton Mitterer [2014-06-12 01:06 +0200]:
> - [c]debootstrap
> I think they both default now to verify signatures (which is a good
> thing)... but IIRC, debootstrap also defaults to not verify anything...
> if the keyrings aren't installed - admittedly this is unlikely... but
> possible...

I found that I could not get debootstrap to do verified downloads from
debian-ports with a debian-ports key. Whatever I did with apt-key, keys
and --keyring options, it just said that the key was unavailable and
stopped. Nice and secure, but useless, so I've had to use 
sudo debootstrap --no-check-gpg unstable debian-arm64 http://ftp.debian-ports.org/debian
in the meantime.

So it does default to signed downloads and SFAIK will always do this
wether or not any keys are installed/available, unless explicitly disabled.

And yes I should report a bug but have failed to do so thus far.

If someone can tell me what I'm doing wrong that would improve the
security of this particular usage :-)

Wookey
-- 
Principal hats:  Linaro, Emdebian, Wookware, Balloonboard, ARM
http://wookware.org/

Reply to:

Follow-Ups:
- Re: holes in secure apt
  - From: Guillem Jover <guillem@debian.org>
- Re: holes in secure apt
  - From: Neil Williams <codehelp@debian.org>
- Re: holes in secure apt
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

References:
- holes in secure apt
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Re: HTTPS everywhere!
Next by Date: Re: use of RDRAND in $random_library
Previous by thread: Re: holes in secure apt
Next by thread: Re: holes in secure apt
Index(es):
- Date
- Thread