[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#203741: [ijones@syntaxpolice.org: [(nowhere)] apt-secure]

----- Forwarded message from Isaac Jones <ijones@syntaxpolice.org> -----

Date: Mon, 29 Dec 2003 22:12:21 -0500
From: Isaac Jones <ijones@syntaxpolice.org>
To: Matt Zimmerman <mdz@debian.org>
Subject: [(nowhere)] apt-secure

Here's a message from several months back which has some issues that
may or may not still exist.  I thought I'd pass it along. (I'm going
through old email.)

peace,

isaac


Date: Tue, 8 Jul 2003 08:19:12 +0200
From: wopp@parplies.de
To: walters@debian.org, ijones@syntaxpolice.org
Subject: apt-secure

Hi,

I've started to use apt-secure, and there are a few observations/questions
I'd like to share with you.
  
First of all, I greatly appreciate your efforts, as this hole in the Debian
security system had troubled me. Regular security updates are a nice thing,
but blindly trusting "The Internet" to provide you with legitimate versions
of packages correcting security flaws is, well, to a certain degree
nonsensical. Of course, so is blindly trusting "The Internet" to provide a
legitimate version of apt-secure, so the point made on debian-security is
valid: it would be nice if you provided a Release and a corresponding
Release.gpg file signed with your GPG key. Then we'd only be blindly trusting
you ;-). It doesn't seem too difficult to verify that signature and the
md5sums of the Packages and .deb files manually prior to installing
apt-secure. Something like:
  
- download Release and Release.gpg
- gpg --no-default-keyring --keyring=/etc/apt/trusted.gpg --keyserver the.earth.li --recv-keys <your-key-id(s)>
- gpg --no-default-keyring --keyring=/etc/apt/trusted.gpg --verify Release.gpg Release
- download Packages
- check the md5sum in Release against `md5sum Packages`
- check the md5sum for package apt in Packages against `md5sum apt_0.5.4.secure.2_i386.deb`
  (or does "non-secure apt" do this anyway?)


Ok, this is partly a sort of bug report, so here my first questions:
1.) How do I verify that I am in fact a person? ;-)
2.) How do you define "pre-alpha"? It works and actually does something useful,
    so isn't it at least alpha?


What I observed apt-secure to break (and therefore you might want to
include patched versions for):
1.) apt-proxy 1.3.0
    That was easy to quick-hack into working:

--- apt-proxy.orig      Mon Jul  7 04:07:00 2003
+++ apt-proxy   Mon Jul  7 04:06:40 2003
@@ -1223,7 +1223,7 @@
        conenc=
        ;;

-    *.bin)
+    *.bin|*Release.gpg)
        resolve_url $REQUEST
        [ -f $FRONT ] ||
            STREAM="`fetch_file_start $URL_REST $FRONT_BASE $BACKS`"
--- cut here ---

2.) apt-show-versions 0.03
    (yes, I'm getting my version information manually from
    /var/lib/dpkg/status ...)
    I've looked into that and can't come up with a quick solution. The
    problem is the new layout of the /var/lib/apt/lists directory.
    Before, there was one Release file corresponding to each Packages
    file, which told apt-show-versions to which distribution the
    packages in it belong. Now there is one Release file for several
    Packages files ...
    If you can explain to me (or point me to information explaining it :)
    how the information in the Release file relates to the Packages
    files, I'll have another look at fixing/quick-hacking it :). It
    seems fairly obvious, but I have no idea what nasty surprises I'm
    supposed to expect ;-).

    To give it a try: is it sufficient to take each file listed in
    Release, s|/|_|g and replace the "Release" in the original file name
    by the results obtained in order to get all the (potential) file names
    in /var/lib/apt/lists/ to which the Release file would apply? In
    Perl:

    $release  = name_of_release_file ();
    ($prefix) = $release =~ /^(.*)Release$/;
    $dist     = suite_or_archive_from_release_file ();
    @files    = all_file_names_from ($release);
    %map      = map { s|/|_|g; ("$prefix$_", $dist) } @files;
    
    # and then use $map {$file_name} to lookup the distribution it
    # belongs to
    
    ???
    Ok, writing this email made me try it out, and it seems to work ...
    so here's the pre-pre-alpha-very-quick-hack-type-patch ... presuming my
    interpretation of the semantics is correct. Hey, it's even got the correct
    time stamp on the orig file ;-)

--- apt-show-versions.orig      Wed Jan 16 23:01:01 2002
+++ apt-show-versions   Tue Jul  8 03:58:54 2003
@@ -103,19 +103,58 @@
 my $apackages;
 my %releases = ();
    
+# wopp, 07.07.03
+# Get relevant releases in the apt-secure era ...
+sub parse_release {
+  my $filename = shift;
+  my $dist;
+  my @files = ();
+  open RELEASE, "<$filename"
+    or die "Can't read release file $filename: $!\n";
+  while (<RELEASE>) {
+    if (/^\s*(?:suite|archive):\s+(\S+)\s*$/i) {
+      $dist ||= $1;
+    } elsif (/^\s*[\da-fA-F]{32}\s+\d{1,9}\s+(.*)$/) {
+      push @files, $1;
+    }
+  }
+  close RELEASE;
+  return ($dist, \@files);
+}
+
+my %map = ();
+opendir DIR, $list_dir
+  or die "Can't opendir $list_dir though I could before: $!\n";
+foreach my $relfile (map { "$list_dir$_" } grep /Release$/, readdir DIR) {
+  my $dist;
+  my $files;
+  (my $prefix) = $relfile =~ /^(.*)Release$/;
+  ($dist, $files) = parse_release ($relfile);
+  foreach (@$files) {
+    s|/|_|g;
+    $map {"$prefix$_"} = $dist;
+  }
+  $releases {$dist} = 1;
+}
+closedir DIR;
+
+# end wopp
+
 # Get available package information out of all Packages files
 foreach (@files) {
-    my $release = $_;
-    $release =~ s/Packages/Release/;
-    $release = quotemeta $release;
-    my $archiv;
-    $archiv = `fgrep -s Archive $release` or
-       $archiv = `fgrep -s Suite $release` or
-           next;
-    $archiv =~ s/Archive: //;
-    $archiv =~ s/Suite: //;
-    $archiv =~ s/\n//;
-    $releases{$archiv} = 1;
+    my $archiv = $map {$_}
+      or next;
+#    my $release = $_;
+#    $release =~ s/Packages/Release/;
+#    $release = quotemeta $release;
+#    my $archiv;
+#    $archiv = `fgrep -s Archive $release` or
+#      $archiv = `fgrep -s Suite $release` or
+#          next;
+#    $archiv =~ s/Archive: //;
+#    $archiv =~ s/Suite: //;
+#    $archiv =~ s/\n//;
+#    $releases{$archiv} = 1;

     my $href = &parse_file ($_);
     foreach (keys %$href) {
--- cut here ---


3.) apt-file 0.2.3-4
    The [debian2003] insertion in sources.list is added to the URL that
    apt-file constructs. I'm not sure about the purpose of that, but I
    suppose it's from CDROM sources (I don't seem to have any CDROM
    entries left anywhere, so I can't check :|). [Update: I found one,
    and it shouldn't be too hard to handle that "correctly" while still
    removing the vendor specification. I'm too tired right now though.]
    As apt-file doesn't implement CDROM sources yet, it doesn't seem to
    hurt to unconditionally remove the [] part: 

--- apt-file.orig       Tue Jul  8 02:25:26 2003
+++ apt-file    Tue Jul  8 02:26:13 2003
@@ -41,6 +41,8 @@
 # This file accepts 2 kinds of notation:
 # deb ftp://non-us.debian.org/debian-non-US sid/non-US main
 # deb ftp://non-us.debian.org/debian-non-US sid non-US/main
+# wopp, 07.07.03:
+# deb [vendor-spec] ftp://non-us.debian.org/debian-non-US sid non-US/main
 sub read_source_list {
     my @res=();
     open(SOURCE, "< $Conf{'sources-list'}")
@@ -52,7 +54,14 @@
            if (m/^([^\[]*)\[([^\]]*)\](.*)$/) {
                my ($tmp1, $tmp2, $tmp3) = ($1, $2, $3);
                $tmp2 =~ s/ /_/g;
-               $line = $tmp1.'['.$tmp2.']'.$tmp3;
+               # wopp, 07.07.03:
+               # I don't know what this []-voodoo is about ... probably
+               # CDROMs. In any case, it conflicts with apt-secure. I prefer
+               # apt-secure over apt-cdrom (which is NYI anyway, see below),
+               # thus ...
+               # $line = $tmp1.'['.$tmp2.']'.$tmp3;
+               $line = $tmp1 . $tmp3;  
+               # Please note that this is merely a Quick Hack (tm) though.
            }
            $line =~ s/\s+/ /g;
            my @path = split / /, $line;
--- cut here ---  

 
What I observed about apt-secure:
1.) The debug output seems to indicate that the woody Releases.gpg
    contains both a signature done with the 2002 key and one with the
    2003 key. A manual test (gpg --verify Release.gpg Release) confirms
    this. apt-secure fails to be satisfied though if you only import
    the 2003 key into trusted.gpg. For apt-secure, you need the 2002 key
    for it to work (so you need both, as you need the 2003 key for the
    security updates). This might be dependent on the order of the output
    from gpg (or gpgv, rather).
    That's not really a problem, but it IS a bug and a small annoyance.


Sorry if some or all of this is confusing and unclear. Please attribute
it to the local time here ;-).

Hope it helps.

Regards,

Holger

Content-Description: PGP Key 0x5828781F.
pub  1024D/5828781F 2003-07-04 Holger Parplies <wopp@parplies.de>
uid                            Holger Parplies <wopp@kloas.de>
uid                            Holger Parplies <wopp@planungsteam-eb.de>
uid                            Holger Parplies <wopp@ehd-gmbh.de>
uid                            Holger Parplies <wopp@werken-spielen-schenken.de>
uid                            Holger Parplies <wopp@cs.tu-berlin.de>
sub  1024g/9E343170 2003-07-04  [expires: 2005-07-03]





----- End forwarded message -----

-- 
 - mdz
Reply to: