Le mercredi 27 mars 2013 à 13:32 +0100, Didier 'OdyX' Raboud a écrit : > Le mercredi, 27 mars 2013 12.59:15, Benjamin Cama a écrit : > > attached version fix both problems (and is based on latest master, after > > Julien disabled InRelease support). Please not that it will still print > > what's _before_ the BEGIN header, if present (there shouldn't be > > anything, but if you really want to be picky…) > > Well, yes, we want to be picky: the whole point of checking the signature is > to avoid letting unsigned content be considered valid by debootstrap / apt / > etc. See CVE-2013-1051.
OK, I understand. With my patch, someone could sneak in an unsigned Release before the signed one, right? I don't know if apt would parse it, but it's a problem. > That said, I think I would prefer a gpgv patch to only output verified > content > than such sed hackery (although nice). Yes, this would be a far better solution. But a quick look at gnupg doesn't make that look easy. I'll give up on this solution for now, and let InRelease files unhandled. Thanks for the comments, -- Benjamin Cama <benjamin.c...@telecom-bretagne.eu> -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1364392741.9044.42.ca...@bcama-latitude.rennes.enst-bretagne.fr
