Your message dated Fri, 14 Aug 2015 15:36:15 +0200 with message-id <20150814153533.ga31...@debian.org> and subject line Re: Bug#665920: apt: failed secure APT checks don't give errors and non-zero exit statuses in all cases has caused the Debian Bug report #665920, regarding apt: failed secure APT checks don't give errors and non-zero exit statuses in all cases to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 665920: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665920 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: apt Version: 0.8.15.10 Severity: important Hi. I did some non-systematic tests on secure APT (with partially shocking results). The following is at least true, for the download action of apt (and I guess therefore of aptitude, too), perhaps for other actions (and or option combinations, in which verifications should happen, too) It does not give an error and exit code = 0 when the verification of the downloaded file fails. The check seems however to actually take place, cause if I modify the hashsums in e.g. ftp.de.debian.org_debian_dists_unstable_main_binary-amd64_Packages for the base-files binary package and I do an: $ apt-get download base-files Get:1 Downloading base-files 6.7 [69,4 kB] Fetched 69,4 kB in 0s (134 kB/s) All I get is: l total 78k drwxr-xr-x 2 calestyo calestyo 4,1k Mar 27 03:00 . drwx------ 6 calestyo calestyo 4,1k Mar 27 02:41 .. -rw-r--r-- 1 calestyo calestyo 70k Mar 4 01:17 base-files_6.7_amd64.deb.FAILED Generally I think that all kinds of verification errors should be treated as (most severe) errors (not just warnings) and that the exit status should be non-zero. Best would be to have special exit-code, that denotes that potential security issues occured. In the above case, renaming the file to .FAILED may seem enough, but one can never know how the users uses the system, and perhaps relies on failed exit statuses. Or imagine a (though stupid) script that downloads the .deb to a temp dir and takes the only file of that dir (regardless of the .FAILED) and e.g. installs it. I mean this would be badly written code, but we really should try to protect even such cases, especailly when this is easily possible. Cheers, Chris. btw: Perhaps someone can explain this: I traced the process and get the following: stat("/var/lib/apt/lists/ftp.de.debian.org_debian_dists_unstable_Release.gpg", 0x7fff750b4670) = -1 ENOENT (No such file or directory) stat("/var/lib/apt/lists/_srv_local-package-archive_dists_unstable_Release.gpg", {st_mode=S_IFREG|0644, st_size=836, ...}) = 0 So while there is a Release.gpg for my local archive, there is none for Debian's. Why and is this a security problem?
--- End Message ---
--- Begin Message ---On Tue, Mar 27, 2012 at 03:12:07AM +0200, Christoph Anton Mitterer wrote: > Package: apt > Version: 0.8.15.10 > Severity: important > > > Hi. > > I did some non-systematic tests on secure APT (with partially shocking > results). > > The following is at least true, for the download action of apt (and I guess > therefore of aptitude, too), perhaps for other actions (and or option > combinations, > in which verifications should happen, too) > > It does not give an error and exit code = 0 when the verification of the > downloaded > file fails. > > It exits with 100 in sid and experimental now. -- Julian Andres Klode - Debian Developer, Ubuntu Member See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/. Be friendly, do not top-post, and follow RFC 1855 "Netiquette". - If you don't I might ignore you.
--- End Message ---
