Bug#432309: should check Release signature by default?
Control: tags -1 + wontfix Seeing this "solved" by an opt-in for being secure switch is simply embarrassing for Debian's already not so shining security philosophies and paradigms. There's basically no reason that speaks against doing it properly, i.e. vice-versa: requiring verification by default and only allow it to be disabled manually. Especially since typically no user would even notice that within Debian. Anyway, since the bug as reported hasn't been fixed properly (the opt-in security implemented by #733179 obviously doesn't do so) but since upstream has apparently no interest in doing so, marking this as wontfix, as it should be. Cheers. smime.p7s Description: S/MIME cryptographic signature
Bug#432309: should check Release signature by default?
Hey Joey On Sat, 2013-06-29 at 14:57 -0400, Joey Hess wrote: > I'm not talking about building debootstrap to bootstrap some other linux > distribution. I'm talking about the common practice of using it to > bootstrap debian from other linux distributions. Sure... I did the same... If you use debootstrap from another distro... you must build it there, right? And during such build ./configure could e.g. check for /etc/debian_version or perhaps /etc/os-release If it finds something it knows (e.g. Debian or Ubuntu)... it could hard code the expectancy of a keyring ... or not. Anyway... as said I think for most security, it would be best if per default it always expects a keyring, unless --no-check-gpg is given. Regardless of where it is build or what you try to bootstrap. Systems that depend on not checking for signatures will be quickly identified and can be simply made working again by adding --no-check-gpg... and that's actually a good way for people to see that they might have a security problem. At least it's better instead letting people accidentally shoot themselves into their feet. In that case it should however try to use default keyrings (if available) e.g. debian-archive-keyring for any Debian based suite. or emdebian-archive-keyring for emdebian, etc. The problem here is just, that the suite name might be ambiguous... :( Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature
Bug#432309: should check Release signature by default?
Christoph Anton Mitterer wrote: > I don't see why this should cause a problem... AFAIU, right now it must > have already hardcoded the default keyring for the distro it was built > for, right? i.e. on > Debian /usr/share/keyrings/debian-archive-keyring.gpg > > So if such keyring was specified during build... it should strictly > require it as I've mentioned before... (unless another --keyring or > --no-check-gpg is given) > > If it's built for *buntu it should strictly ... the same just perhaps > with: I'm not talking about building debootstrap to bootstrap some other linux distribution. I'm talking about the common practice of using it to bootstrap debian from other linux distributions. -- see shy jo signature.asc Description: Digital signature
Bug#432309: should check Release signature by default?
On Sat, 2013-06-29 at 13:43 -0400, Joey Hess wrote: > debootstrap is used on a wide variety of non-debian systems, which do > not have it installed, and probably have no trust path to securely > install the debian keyring. I don't see why this should cause a problem... AFAIU, right now it must have already hardcoded the default keyring for the distro it was built for, right? i.e. on Debian /usr/share/keyrings/debian-archive-keyring.gpg So if such keyring was specified during build... it should strictly require it as I've mentioned before... (unless another --keyring or --no-check-gpg is given) If it's built for *buntu it should strictly ... the same just perhaps with: /usr/share/keyrings/marks-key.gpg or whatever they use. And if it's build for no known distro... it could behave as you say: not verifying any keys per default... Still I wouldn't like that and would rather choose that such versions need to explicitly specify either --keyring or --no-check-gpg. At least that would be the secure solution... but at least Debian people would be safe in any circumstance. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature
Bug#432309: should check Release signature by default?
Christoph Anton Mitterer wrote: > So I suggest that it should be changed the follwing way,... > that if no --keyring is given, neither debian-archive-keyring is > installed (and usable)... debootstrap should fail (unless --no-check-gpg > is given). > > I don't think this will break a lot, as most systems will probably have > debian-archive-keyring installed. debootstrap is used on a wide variety of non-debian systems, which do not have it installed, and probably have no trust path to securely install the debian keyring. Given that apt already depends on debian-archive-keyring, it's unlikely that a debian system does not have it installed. -- see shy jo signature.asc Description: Digital signature
Bug#432309: should check Release signature by default?
forcemerge 432309 610753 515938 severity 432309 important stop Hi. AFAICS, all these issues (two of them actually reported by myself) are the same, therefore forcemerging. It seems that since 1.0.30: * Recommend debian-archive-keyring, and if it is installed, default to checking gpg signatures of the Release file against it when bootstrapping sid, squeeze, wheezy, etch, and lenny. Closes: #560038 the Release files (and all other downloaded files - is that true?) are actually checked per default,... but ONLY of debian-archive-keyring is installed, right? I don't think however that this fully closes the issue reported in these bugs. Cause AFAIU, if debian-archive-keyring is not installed, it still defaults not verify anything... and thereby possibly installing/executing forged and evil packages. True? So I suggest that it should be changed the follwing way,... that if no --keyring is given, neither debian-archive-keyring is installed (and usable)... debootstrap should fail (unless --no-check-gpg is given). I don't think this will break a lot, as most systems will probably have debian-archive-keyring installed. Anyway it's just a recommends so it might not be the case and one shouldn't let these systems open to attacks. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature
Bug#432309: should check Release signature by default?
On Mon, 2007-07-09 at 14:56 +0200, Frans Pop wrote: > On Monday 09 July 2007 13:38, Christoph Anton Mitterer wrote: > > - I think it would be an improvement if debootstrap would per default > > use the standard debian-archive-keyring for validating the Release > > files. It still could allow to select another or disable checking at > > all (via a new option), thus: > OK, that makes more sense. Reopening and adjusting the title. *G* Yeah,... think so, too ;) > > btw: What's the reason to keep both debootstrap and cdebootstrap in > > debian? They seem to be very similar. > > Why keep both KDE and Gnome in the archive... OK, that one is a bit more > extreme, but it's still basically the same question. Uhm,.. yes,.. but both are really very similar. Perhaps the developers could coordinate and merge the feature set and finally remove one. Chris. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Processed: Re: Bug#432309: should check Release signature by default?
Processing commands for [EMAIL PROTECTED]: > found 432309 1.0.0 Bug#432309: should check Release signature by default? Bug marked as found in version 1.0.0 and reopened. > End of message, stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Processed (with 1 errors): Re: Bug#432309: should check Release signature by default?
Processing commands for [EMAIL PROTECTED]: > found 432309 debootstrap 1.0.0 Unknown command or malformed arguments to command. > retitle 432309 should check Release signature by default? Bug#432309: debootstrap should use signed Release files Changed Bug title to `should check Release signature by default?' from `debootstrap should use signed Release files'. (By the way, that Bug is currently marked as done.) > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#432309: should check Release signature by default?
found 432309 debootstrap 1.0.0 retitle 432309 should check Release signature by default? thanks On Monday 09 July 2007 13:38, Christoph Anton Mitterer wrote: > - I think it would be an improvement if debootstrap would per default > use the standard debian-archive-keyring for validating the Release > files. It still could allow to select another or disable checking at > all (via a new option), thus: OK, that makes more sense. Reopening and adjusting the title. > - debootstrap should depend on or at least recommend > debian-archive-keyring I think the last is possibly the main reason why it is currently optional. > btw: What's the reason to keep both debootstrap and cdebootstrap in > debian? They seem to be very similar. Why keep both KDE and Gnome in the archive... OK, that one is a bit more extreme, but it's still basically the same question. Anyway, at least for me personally cdebootstrap has always failed if I wanted to setup a pbuilder chroot while debootstrap just worked. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
