Hi Wolfgang, hi Holger, On Fr 16 Aug 2019 11:41:56 CEST, Wolfgang Schweer wrote:
On Thu, Aug 15, 2019 at 03:54:54PM +0000, Holger Levsen wrote:On Thu, Aug 15, 2019 at 02:38:33PM +0000, Debian FTP Masters wrote: > Source: debian-edu-config > Version: 2.10.67 [...] > debian-edu-config.fetch-ldap-cert: > - Fully inline-document fetch-ldap-cert script. this is really great > - White-space-only change: Fix broken and inconsistent indentations. looking at the debdiff between in whats in stable and this it seems this is mostly not visible because its basically/almost a rewrite anyway:$ debdiff debian-edu-config_2.10.65.dsc debian-edu-config_2.10.67.dsc|diffstatMakefile | 2cf3/cf.finalize | 52 +cf3/cf.homes | 2 cf3/cf.workarounds | 16 cf3/edu.cf | 1debian/changelog | 96 +++debian/control | 2debian/debian-edu-config.fetch-ldap-cert | 283 ++++++++--debian/debian-edu-config.postinst | 14 etc/ltsp/ltsp-build-client.conf | 2etc/network/if-up.d/hostname | 43 - share/debian-edu-config/d-i/finish-install | 31 -share/debian-edu-config/edu-firefox-nfs | 1 share/debian-edu-config/sudo-ldap.conf | 1 share/debian-edu-config/tools/create-debian-edu-certs | 2 share/debian-edu-config/tools/kerberos-kdc-init | 5 share/ltsp/plugins/ltsp-build-client/Debian-custom/001-ltsp-settings | 4 17 files changed, 418 insertions(+), 139 deletions(-)(so maybe it would have been wiser not to mention the white-space only changes,as the release team really dislikes them.)\however/anyway, I'm not sure we can get this past the release team for the stable point release. we might. we think all these changes are useful/needed for stable, right?Useful, yes; but IMO we could get along for Buster without the fetch-ldap-cert related changes introduced in d-e-c 2.10.67 in case the stable release team dislikes these.
Disagreeing here.The fetch-ldap-cert changes are security related and get things right about the rootCA handling in Debian Edu buster.
The white-space changes are awkward to review, but the readability of the script is much better now (as indentation is now correct + all the comments).
(And: we, that is Holger, have/has got other d-e-c changes into a stable-pu, as we don't affect other software packages).
Among improved checks for a lot of possible failures, the rewrite has the benefit of validating the LDAP server certificate against the Debian Edu rootCA one (the version shipped with d-e-c 2.10.66 did this against the bundle-crt certificate). Both are downloaded from www.intern, as opposed to the LDAP server cert that is fetched from the LDAP server itself. The bundle certificate contains the Debian Edu rootCA certificate and the multipurpose server certificate (as a chain). This server certificate is used for all configured Debian Edu server services, included the LDAP service. While using the single Debian Edu rootCA certificate for validation is the better way to go, the bundle certificate can be used as well.
Yes. Thanks for pointing this out!!! It is the much better / cleaner / expected-by-admins approach.
Another improvement of the fetch-ldap-cert script shipped with d-e-c 2.10.67 is the use of independent conditions for host and LTSP chroot (instead of the global condition introduced with commit f8f436e); but then the drawback caused by this change for LTSP chroots has also been dealt with via d-e-c 2.10.66 fixes. Mike, please comment.
Futhermore, we now entirely fixed backwards compatibility (new Debian Edu clients running against old Debian Edu TJENERs). This was the main flaw of the original Debian 10.0 implementation. You can't use Debian Edu 10 clients on a network running on a TJENER from 9.x or 8.x. While investigating this, Petter pointed us to the security flaw of always updating the LDAP server certificate on clients. Only deploying the LDAP server cert once protects the user against password sniffing, if someone malign takes over the network.
Thus, fetch-ldap-cert must get into buster IMHO, it's a rewrite and it now is easy to read,
Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgpdgzM4Q4ksq.pgp
Description: Digitale PGP-Signatur