Known bug and duplicate, check the BTS. At Wed, 09 Sep 2009 23:15:51 +0200, Christoph Anton Mitterer wrote: > > Package: pbuilder > Version: 0.189 > Severity: important > Tags: security > > Hi. > > > debootstrap (unlike cdebootstrap IIRC) does not check signatures on > any packages per default, but only when the "--keyring" option is used. > > This has the potential security problem, that users are building (and > thus executing code) that is not verified. > > I would suggest that you at least add a: > DEBOOTSTRAPOPTS="--keyring=/set-this-file" to the default template. > > But this still is,.. well not a good solution, so I'd suggest the following: > 1) Add options to pbuilder itself: > - A mandatory --keyring= option to specify the keyring to be used and > that is passed on to [c]debootstrab > - A option like --do-not-verify-signatures (including some warnings > that this is dangerous),.. and only if this is set,... --keyring may > be omitted. > > 2) If nothing off the above is specified, pbuilder should fail. > > > I'm not sure about the following: > - As pbuilder installs stuff inside the already bootstrapped chroot, > there may be additional possibilities for insecure packages. But I > assume you use always apt there, right? And this should use keys,.. > well at least with deboostrap they're copied into the chroot > (IIRC),... not sure about cdebootstrap. > > - Is this already a problem with current build daemons or whatever? > And should we inform those guys on this problem? > > > Regards, > Chris. > > > -- System Information: > Debian Release: squeeze/sid > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: amd64 (x86_64) > > Kernel: Linux 2.6.30-heisenberg (SMP w/2 CPU cores; PREEMPT) > Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > > Versions of packages pbuilder depends on: > ii coreutils 7.5-4 GNU core utilities > ii debconf [debconf-2.0] 1.5.27 Debian configuration > management sy > ii debianutils 3.2.1 Miscellaneous utilities > specific t > ii debootstrap 1.0.15 Bootstrap a basic Debian system > ii wget 1.11.4-4 retrieves files from the web > > Versions of packages pbuilder recommends: > ii devscripts 2.10.54 scripts to make the life > of a Debi > ii fakeroot 1.13 Gives a fake root environment > ii sudo 1.7.2p1-1 Provide limited super > user privile > > Versions of packages pbuilder suggests: > pn cowdancer <none> (no description available) > pn gdebi <none> (no description available) > pn pbuilder-uml <none> (no description available) > > -- debconf information: > * pbuilder/mirrorsite: ftp://ftp.de.debian.org/debian/ > pbuilder/nomirror: > * pbuilder/rewrite: false > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > > > _______________________________________________ > Pbuilder-maint mailing list > pbuilder-ma...@lists.alioth.debian.org > http://lists.alioth.debian.org/mailman/listinfo/pbuilder-maint >
-- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org