-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 31-05-14 12:55, Patrick Schleizer wrote: > Joey Hess:> [...] there are situations where >> debootstrap is used without debian-archive-keyring being >> available, [...] > > Please elaborate, which situations are these? > > Let me answer this: using debootstrap on non-Debian systems, a scenario likely to become more frequent with Debian running in Linux containers (LXC). However, caveats apply in these scenarios, I will illustrate one way to think about this - if not just to gather feedback (it applies not only to LXC/VMs but in general for the case of spawning new Debian systems): 1) you have a Debian CD that you have verified being authentic thanks to your web of trust, this will be the system you trust most with trust level T0. Let's say you got it from the warm hands of your favourite DD and you are jealously storing it away as good wine 2) you are running a non-Debian system as host, let's say you have a trust level Tx on this operative system (it can be anything, but also Debian) 3) using debootstrap *without* a trust path to get the archive signing keys is enough of a mistake, in this case drinking the HTTPS cool-aid doesn't fix the trust path e.g. you would multiply Tx by zero (APT security != SSL CA security) 4) to overcome the problem above, you have to use your host system (with trust level Tx) to get the archive signing keys or to get an already "seeded" Debian chroot. I prefer the latter, thus I would download an official CD or net install ISO (verifiable thanks to https://www.debian.org/CD/verify), that we will label with trust level Ty 5) at this point you can continue the installation of your derived Debian system, that will have same trust level Ty Theorem: in absolutely no case you can create a system with a higher trust level than its parent: Tx >= Ty Let's depict scenarios where you want to achieve Ty = T0. If at (3) you went forward without trusted archive signing keys, Ty is 0 (this covers the case Tx > Ty), so let's drop this scenario. If your host system with trust Tx is let's say SuperSecureLinux downloaded from malwareland, then: Ty >= T0 iif (if and only if) Tx >= T0 (You must trust malwareland more than or equally as Debian) If instead your host system has trust level T0 (you installed it with that lovely CD), then chain of trust is respected (given that you followed [4] and not [3]): Tx = T0 => Ty = T0 Sorry for the pseudo logic, hope it adds positively to the understanding & discussion. Related threads: https://lists.debian.org/debian-devel/2004/06/msg01499.html Kind regards, - -- Giuseppe Mazzotta -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTidwBAAoJEKWX1kB3NXekxNgIAIdCDjMnIN5i9EtuQsqMvbYG lFmmgpygoQZFcibptEJsoIYxsY6RK1XlcPh8F4SvOSa4EGDKa9PTF/9uHW/K0bpW fWpmJuMr2r04DadUp9mQe8hNDnNqeog6OavwjkZ7ruM1BldyZVWD1IAcGFb0b0B6 gnZW3/CuDDD2u7OWBVhan4Aru7WdXa/gqCNMhOe1YjKku4bOdx+DpsWKpVAtXgK0 iSMqwYk4x8rV80uWRvdD14ft3Dx9wX170l/rfN4q9/ut2gzqq/FPVs/RehURJSzD ZNP92nTrqt6yqRxLTNDZiV2HbBYjcMri8ACT3ycuNjLdKTEfwVHfq5OvszdV7oM= =PMc1 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5389dc01.1050...@bitonic.nl