Re: holes in secure apt
Hi!
On Thu, 2014-06-12 at 19:43:56 +0100, Wookey wrote:
> +++ Christoph Anton Mitterer [2014-06-12 01:06 +0200]:
> > - [c]debootstrap
> > I think they both default now to verify signatures (which is a good
> > thing)... but IIRC, debootstrap also defaults to not verify anything...
> > if the keyrings aren't installed - admittedly this is unlikely... but
> > possible...
>
> I found that I could not get debootstrap to do verified downloads from
> debian-ports with a debian-ports key. Whatever I did with apt-key, keys
> and --keyring options, it just said that the key was unavailable and
> stopped. Nice and secure, but useless, so I've had to use
> sudo debootstrap --no-check-gpg unstable debian-arm64 http://ftp.debian-ports.org/debian
> in the meantime.
>
> So it does default to signed downloads and SFAIK will always do this
> wether or not any keys are installed/available, unless explicitly disabled.
>
> And yes I should report a bug but have failed to do so thus far.
>
> If someone can tell me what I'm doing wrong that would improve the
> security of this particular usage :-)
That might actually be a bug/deficiency of mini-dak, but I've not
looked into it for a very long time so I could not say for sure off
the top of my head.
Regards,
Guillem
Reply to: