Re: RFC auth patch

Thu, 15 Feb 2007 12:49:53 -0800 

Frans Pop wrote:
> Would it be worth creating an alias for it (as it is very long in its raw 
> form)?

I don't want to make it too easy to use this.

> Should this be really be kept by default for the target system? If so, 
> that should be documented very clearly.

Probably best to remove it at the end.

Updated patch:

Index: manual/en/appendix/preseed.xml
===================================================================
--- manual/en/appendix/preseed.xml      (revision 45117)
+++ manual/en/appendix/preseed.xml      (working copy)
@@ -1048,6 +1048,11 @@
 # apt will complain about the unauthenticated repository and so the
 # sources.list line will be left commented out
 #d-i apt-setup/local0/key string http://local.server/key
+
+# By default the installer requires that repositories be authenticated
+# using a known gpg key. This setting can be used to disable that
+# authentication. Warning: Insecure, not recommended.
+#d-i debian-installer/allow_unauthenticated string true
 </screen></informalexample>
 
   </sect2>
Index: manual/en/boot-installer/parameters.xml
===================================================================
--- manual/en/boot-installer/parameters.xml     (revision 45117)
+++ manual/en/boot-installer/parameters.xml     (working copy)
@@ -362,6 +362,17 @@
 </para></listitem>
 </varlistentry>
 
+<varlistentry>
+<term>debian-installer/allow_unauthenticated</term>
+<listitem><para>
+
+By default the installer requires that repositories be authenticated
+using a known gpg key. Set to <userinput>true</userinput> to 
+disable that authentication. Warning: Insecure, not recommended.
+
+</para></listitem>
+</varlistentry>
+
 <varlistentry arch="alpha;m68k;mips;mipsel">
 <term>ramdisk_size</term>
 <listitem><para>
Index: packages/rootskel/debian/changelog
===================================================================
--- packages/rootskel/debian/changelog  (revision 45117)
+++ packages/rootskel/debian/changelog  (working copy)
@@ -1,3 +1,11 @@
+rootskel (1.50) UNRELEASED; urgency=low
+
+  * Add new debian-installer/allow_unauthenticated template, will be used by
+    choose-mirror and base-installer to allow forcing installation even if
+    the mirror doesn't auth.
+
+ -- Joey Hess <[EMAIL PROTECTED]>  Thu, 15 Feb 2007 13:51:22 -0500
+
 rootskel (1.49) unstable; urgency=low
 
   * Support blacklisting of modules from the boot prompt using the syntax
Index: packages/rootskel/debian/templates-arch
===================================================================
--- packages/rootskel/debian/templates-arch     (revision 45117)
+++ packages/rootskel/debian/templates-arch     (working copy)
@@ -22,3 +22,8 @@
 Type: string
 Description: for internal use; can be preseeded
  Theme to use for the (newt or gtk) frontend
+
+Template: debian-installer/allow_unauthenticated
+Type: boolean
+Default: false
+Description: for internal use; can be preseeded
Index: packages/net-retriever/debian/changelog
===================================================================
--- packages/net-retriever/debian/changelog     (revision 45117)
+++ packages/net-retriever/debian/changelog     (working copy)
@@ -1,3 +1,10 @@
+net-retriever (1.14) UNRELEASED; urgency=low
+
+  * If debian-installer/allow_unauthenticated is true, only log a warning
+    if authentication fails.
+
+ -- Joey Hess <[EMAIL PROTECTED]>  Thu, 15 Feb 2007 14:04:02 -0500
+
 net-retriever (1.13) unstable; urgency=low
 
   [ Updated translations ]
Index: packages/net-retriever/net-retriever
===================================================================
--- packages/net-retriever/net-retriever        (revision 45117)
+++ packages/net-retriever/net-retriever        (working copy)
@@ -105,7 +105,7 @@
                Release="/tmp/net-retriever-$$-Release"
                fetch "dists/$codename/Release" "$Release" || exit $?
                # If gpgv and a keyring are installed, authentication is
-               # mandatory.
+               # mandatory by default.
                if type gpgv >/dev/null && [ -f "$keyring" ]; then
                        if ! fetch "dists/$codename/Release.gpg" 
"$Release.gpg"; then
                                error "dists/$codename/Release is unsigned."
@@ -114,7 +114,11 @@
                             gpgv --status-fd 1 --keyring "$keyring" \
                             --ignore-time-conflict \
                             "$Release.gpg" "$Release" | read_gpg_status; then
-                               error "Bad signature on $Release."
+                               if db_get 
debian-installer/allow_unauthenticated && [ "$RET" = true ]; then
+                                       log "Ignoring bad signature on 
$Release."
+                               else
+                                       error "Bad signature on $Release."
+                               fi
                        fi
                fi
 
Index: packages/base-installer/debian/postinst
===================================================================
--- packages/base-installer/debian/postinst     (revision 45117)
+++ packages/base-installer/debian/postinst     (working copy)
@@ -173,7 +173,9 @@
                exclude="--exclude=${EXCLUDES}"
        fi
        if type gpgv >/dev/null && [ -f "$KEYRING" ]; then
-               keyring="--keyring=${KEYRING}"
+               if ! db_get debian-installer/allow_unauthenticated || [ "$RET" 
!= true ]; then
+                       keyring="--keyring=${KEYRING}"
+               fi
        fi
 
        test -d $ETCDIR || mkdir -p $ETCDIR
@@ -259,6 +261,14 @@
        cat > /target/etc/apt/apt.conf.d/00IgnoreTimeConflict << EOT
 Acquire::gpgv::Options { "--ignore-time-conflict"; };
 EOT
+
+       if db_get debian-installer/allow_unauthenticated && [ "$RET" = true ]; 
then
+               # This file will be left in place until the end of the install.
+               cat > /target/etc/apt/apt.conf.d/00AllowUnauthenticated << EOT
+APT::Get::AllowUnauthenticated "true";
+EOT
+       fi
+
        # let apt inside the chroot see the cdrom
        if [ "$PROTOCOL" = file ] ; then
                if [ -n "$DIRECTORY" ]; then
Index: packages/base-installer/debian/changelog
===================================================================
--- packages/base-installer/debian/changelog    (revision 45167)
+++ packages/base-installer/debian/changelog    (working copy)
@@ -5,8 +5,11 @@
 
   [ Joey Hess ]
   * Add support for armel.
+  * If debian-installer/allow_unauthenticated exists and is true, write a
+    /etc/apt/apt.conf.d/00AllowUnauthenticated file making apt allow
+    unauthenticated mirrors.
 
- -- Joey Hess <[EMAIL PROTECTED]>  Wed, 14 Feb 2007 16:28:10 -0500
+ -- Joey Hess <[EMAIL PROTECTED]>  Thu, 15 Feb 2007 13:58:34 -0500
 
 base-installer (1.72) unstable; urgency=low
 
Index: packages/base-installer/finish-install
===================================================================
--- packages/base-installer/finish-install      (revision 45117)
+++ packages/base-installer/finish-install      (working copy)
@@ -2,4 +2,5 @@
 set -e
 
 rm -f /target/etc/apt/apt.conf.d/00NoMountCDROM \
-       /target/etc/apt/apt.conf.d/00IgnoreTimeConflict
+       /target/etc/apt/apt.conf.d/00IgnoreTimeConflict \
+       /target/etc/apt/apt.conf.d/00AllowUnauthenticated

-- 
see shy jo

Attachment: signature.asc
Description: Digital signature

Reply via email to