Bug#579028: pbuilder: installs untrusted packages without asking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA384 Junichi Uekawa dixit: >I don't share the opinion that this should be a grave bug to change >the default, and in order to change the default you need to deprecate >a command-line option and introduce two new command-line options when >you could have just changed the default shipping pbuilderrc. > >> To still allow untrusted/unsigned repositories - they are a very >> bad idea and allow remote attackers performing a MITM to take >> over the system, including all built packages - the new option >> - --allow-untrusted (ALLOWUNTRUSTED) was added. > >I don't care what you think is a bad idea. Allowing installation of untrusted packages anywhere on the system, even in a chroot, is a security issue. In something people use to build packages for the archive it i̲s̲ grave. I really was surprised, no, shocked to read that cowbuilder disables Secure APT by default and would very much like to see that changed, yes, the default, globally. bye, //mirabilos (with hats “Debian Developer” and “m68k buildd” on) - -- "Using Lynx is like wearing a really good pair of shades: cuts out the glare and harmful UV (ultra-vanity), and you feel so-o-o COOL." -- Henry Nelson, March 1999 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MirBSD) iQIcBAEBCQAGBQJPWdTwAAoJEHa1NLLpkAfgg5MQAIIdxga6iNp96nrc1y+KJCXO +ZhNusdZiVDtlTpSYGQ4bTDZa/4yGWh6TLyI31mcj5zsXNbXVabrW2eUjwlCC5xH euV/K04OuklFHMBCTqjMZymOj60aA5ES5ECoxHpNxABNk/2nKfOTnd3r9Fmd2I0N ZWLc/rWPMR6BNpdw4pif+QXv83JAbiGs5IW8KY8AWyEEkoiSVfOWI4bcKbUItZqt 3n7iT4AH3RH0dIVZ/RiN1tg9dox6o1woOC2c8Eyu5leCnaaKChYebF4JOse0Ioy2 RpzRw/gFVn76n167OYocgGMyM7HnpPTG1j55YTQwUG/S4rBhFm16ypCjUp+SwfgA QvqN31t9FUEbb8kScCjPGTucapRc8Y7yUmUl6DOzWY9/daNNevp0/Vx1fD0FscMa aVjsYPukwDaFt0/pVx1TJIFfFc/U4DB1VYVDLRoF78TSPzEUfiD/z9re6MtGoVcO FVOplH6aVOFlXn/+weFv+RmlViYIzwBoiK+ZXraeTrfp1eFp6tg9yuMwJHszuvZU kg05uCXWrMsOCRkrBTyH402XEEIU4MQdayZ351xCcRNjsj8++AFtnqWhhzaYq22f k7Da35LH/RmqWwWK2JNKkafGW1r7tzsTnl1HjBhED2A6OLeaOf7DGQgy1j1Z5+C1 LJTE6lE24R7S+GGyYbzR =3ge2 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#579028: pbuilder: installs untrusted packages without asking
At Tue, 06 Mar 2012 02:29:25 +0100, Simon Ruderich wrote: > > Package: pbuilder > Version: 0.206 > Tags: patch > Followup-For: Bug #579028 > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Dear Maintainer, > > The attached patch changes the defaults to always enforce signed > repositories and aborts if an untrusted/manipulated package is > installed. It adds the new option --keyring (APTKEYRINGS) to add > additional keyrings, which are then used to verify the (local) > signed repositories. This way no untrusted packages can be > installed. > > To still allow untrusted/unsigned repositories - they are a very > bad idea and allow remote attackers performing a MITM to take > over the system, including all built packages - the new option > - --allow-untrusted (ALLOWUNTRUSTED) was added. > > I tested it with the official Debian repository, signed and > unsigned local repositories and it works fine for me. But I'm > only a "normal" pbuilder user, so I might have missed something. > Please test the patch. > > I haven't tested it with cdebootstrap, but it should work as > well. I think cowbuilder/qemubuilder won't let you an unknown arbitrary option to pbuilder; you'll need to add a patch there as well. I don't know if pdebuild will need any change; I guess not. > > The old PBUILDERSATISFYDEPENDSOPT --check-key option was > deprecated and is no longer used (it emits a warning now) as > validation is the default now. > > The patch also contains documentation updates for the new > options/variables and updates for the NEWS file describing the > necessary changes to continue using untrusted packages (but > please don't do that - especially as a Debian developer). > > Please have a look and include the patch as soon as possible to > fix this security issue. > > Regards, > Simon > > - -- System Information: > Debian Release: wheezy/sid > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: amd64 (x86_64) > > Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > > Versions of packages pbuilder depends on: > ii cdebootstrap 0.5.8+b1 > ii coreutils 8.13-3 > ii debconf [debconf-2.0] 1.5.41 > ii debianutils4.2.1 > ii debootstrap1.0.38 > ii dpkg-dev 1.16.1.2 > ii wget 1.13.4-2 > > Versions of packages pbuilder recommends: > pn devscripts 2.11.4 > pn fakeroot1.18.2-1 > pn sudo > > Versions of packages pbuilder suggests: > pn cowdancer > pn gdebi-core > pn pbuilder-uml > > - -- debconf information excluded > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.12 (GNU/Linux) > > iQIcBAEBCAAGBQJPVWhvAAoJEJL+/bfkTDL5ivAP/iayE8NRQnyk2HW8R+NiRXU3 > uavLilwwpmEZyuciu8GxMQIAhT9HYd/DlkhF9I+yBSd30TO3fl0xW7YV9SaIZ+bv > IPwnZbHri4KfeV9Zob/gd2jrT9A2QCoFRW0ny4XNCK3NvtWH5KuH+TG2Mq5CQqdN > j4VJ3+76oJcbQbU7AUYXfvKDAsEb7gX+VwTEFLS4GrPkni/FIQJ8HHJhlTscyuCD > gQANCoRFZHVSMaas3xqi9KYFKgVS4BZ5Z/9FZuLeY5kWBfcbnIhQloVOWTQZIMRI > PhnqP1g62XlPu71K3a/Y2RMAcy3Gs6sUbW4OianIr2iskCndejih/MCb+3LmBFCg > Ekxi/CcJGrc7a0pV57Qs8Iwkm1siRZZUxcp4xdD3mo9iayoOt4sfFyrvBCYryilQ > 7JKpQc3iNoV3EQql6KBu5G+GmFFWHmokpLvVY27n8LgkV2YSb2wrgxqXPfxcYHj7 > 0j/y2MFw+HOX/d5YSESMLxn9aiZBi7CkMtlMemzqizxlNlL/+OOZiDsi4vdH8L/j > Y0c2i9efjNeooc0/B9wASu/Ck8SWV8wW1EcfTag0p9Rp0avy4hoQUmG+MtgQsV0l > MQuWWysyxeJFX4Z8ooau82L6sIGC0L073JH6Y/C7uTOz9gKt+e5tV3fnU+pkWpqH > oF3CcmlykKX4SYzhUI/e > =6EPj > -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#579028: pbuilder: installs untrusted packages without asking
At Tue, 06 Mar 2012 02:29:25 +0100, Simon Ruderich wrote: > > [1 ] > Package: pbuilder > Version: 0.206 > Tags: patch > Followup-For: Bug #579028 > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Dear Maintainer, > > The attached patch changes the defaults to always enforce signed > repositories and aborts if an untrusted/manipulated package is > installed. It adds the new option --keyring (APTKEYRINGS) to add > additional keyrings, which are then used to verify the (local) > signed repositories. This way no untrusted packages can be > installed. I don't share the opinion that this should be a grave bug to change the default, and in order to change the default you need to deprecate a command-line option and introduce two new command-line options when you could have just changed the default shipping pbuilderrc. > To still allow untrusted/unsigned repositories - they are a very > bad idea and allow remote attackers performing a MITM to take > over the system, including all built packages - the new option > - --allow-untrusted (ALLOWUNTRUSTED) was added. I don't care what you think is a bad idea. > > I tested it with the official Debian repository, signed and > unsigned local repositories and it works fine for me. But I'm > only a "normal" pbuilder user, so I might have missed something. > Please test the patch. > > I haven't tested it with cdebootstrap, but it should work as > well. > > The old PBUILDERSATISFYDEPENDSOPT --check-key option was > deprecated and is no longer used (it emits a warning now) as > validation is the default now. > > The patch also contains documentation updates for the new > options/variables and updates for the NEWS file describing the > necessary changes to continue using untrusted packages (but > please don't do that - especially as a Debian developer). > > Please have a look and include the patch as soon as possible to > fix this security issue. Although I don't agree with most of the things you have stated in the mail, your patch looks reasonably well written and I don't object to applying it first and see who suffers; I suppose cowbuilder / qemubuilder people will, because they don't yet support the new option. > > Regards, > Simon > > - -- System Information: > Debian Release: wheezy/sid > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: amd64 (x86_64) > > Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > > Versions of packages pbuilder depends on: > ii cdebootstrap 0.5.8+b1 > ii coreutils 8.13-3 > ii debconf [debconf-2.0] 1.5.41 > ii debianutils4.2.1 > ii debootstrap1.0.38 > ii dpkg-dev 1.16.1.2 > ii wget 1.13.4-2 > > Versions of packages pbuilder recommends: > pn devscripts 2.11.4 > pn fakeroot1.18.2-1 > pn sudo > > Versions of packages pbuilder suggests: > pn cowdancer > pn gdebi-core > pn pbuilder-uml > > - -- debconf information excluded > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.12 (GNU/Linux) > > iQIcBAEBCAAGBQJPVWhvAAoJEJL+/bfkTDL5ivAP/iayE8NRQnyk2HW8R+NiRXU3 > uavLilwwpmEZyuciu8GxMQIAhT9HYd/DlkhF9I+yBSd30TO3fl0xW7YV9SaIZ+bv > IPwnZbHri4KfeV9Zob/gd2jrT9A2QCoFRW0ny4XNCK3NvtWH5KuH+TG2Mq5CQqdN > j4VJ3+76oJcbQbU7AUYXfvKDAsEb7gX+VwTEFLS4GrPkni/FIQJ8HHJhlTscyuCD > gQANCoRFZHVSMaas3xqi9KYFKgVS4BZ5Z/9FZuLeY5kWBfcbnIhQloVOWTQZIMRI > PhnqP1g62XlPu71K3a/Y2RMAcy3Gs6sUbW4OianIr2iskCndejih/MCb+3LmBFCg > Ekxi/CcJGrc7a0pV57Qs8Iwkm1siRZZUxcp4xdD3mo9iayoOt4sfFyrvBCYryilQ > 7JKpQc3iNoV3EQql6KBu5G+GmFFWHmokpLvVY27n8LgkV2YSb2wrgxqXPfxcYHj7 > 0j/y2MFw+HOX/d5YSESMLxn9aiZBi7CkMtlMemzqizxlNlL/+OOZiDsi4vdH8L/j > Y0c2i9efjNeooc0/B9wASu/Ck8SWV8wW1EcfTag0p9Rp0avy4hoQUmG+MtgQsV0l > MQuWWysyxeJFX4Z8ooau82L6sIGC0L073JH6Y/C7uTOz9gKt+e5tV3fnU+pkWpqH > oF3CcmlykKX4SYzhUI/e > =6EPj > -END PGP SIGNATURE- > [2 0001-Enforce-valid-signed-repositories-by-default.patch us-ascii (7bit)>] > >From cadc48fb599d436577a6efedc7f25e175652a3a1 Mon Sep 17 00:00:00 2001 > Message-Id: > > From: Simon Ruderich > Date: Tue, 6 Mar 2012 02:00:48 +0100 > Subject: [PATCH] Enforce valid signed repositories by default. > > --- > debian/NEWS | 19 ++ > debian/pbuilder-test/00_prepinstall |2 +- > pbuilder-checkparams| 18 + > pbuilder-createbuildenv |5 > pbuilder-satisfydepends-aptitude|2 +- > pbuilder-satisfydepends-checkparams | 19 + > pbuilder-updatebuildenv |6 + > pbuilder.8 | 20 ++- > pbuilderrc | 23 + > pbuilderrc.5| 36 ++ > 10 files changed, 124 insertions(+), 26 deletions(-) > > diff --git a/debian/NEWS b/debian/NEWS > index 6d1
Bug#579028: pbuilder: installs untrusted packages without asking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Mar 06, 2012 at 02:29:25AM +0100, Simon Ruderich wrote: > I tested it with the official Debian repository, signed and > unsigned local repositories and it works fine for me. But I'm > only a "normal" pbuilder user, so I might have missed something. > Please test the patch. Just noticed that I overlooked the last few messages. My patch doesn't fix these usecases, disabling the check works though. Regards, Simon - -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJPVW99AAoJEJL+/bfkTDL50a0P/1iJ2tjgTCBxgnj7I3F2a0Dy LkfUalxy+mgC1y3cFFhHofVAZWjzFY8OniAPCcQdv2hRj7OAGwvwTKpk2gcwhDeH MLti5cmdF8W2+AFRmym/e63mc0HOi4EEhiHlV6zuP+Hr366dosvHuR1ZYWPiOmPe MTc3hbCv0KBWrJeYe8AsKZP7FHSn0+T3/pvPKIfG+P5NweGQOMt/hmdmptHO88Hw BlB1bbvKX1C78hyOQnWEOZhZljWLF6bttGvqpZPzyssII8JlyunLOGNixy3otzZj fMDhv0p0OUNoIfbZL1WybqOk1vuQ5YyeIUC+7KDHTzK5EJmwbRX8UOfMhJ0mZZgI K5M17d+po3Cbtyw/asJUMfVJ7ontdKzK4FahojoICJh0ybaJ1i5GHscgCQMOnYtb cPxsyS3SArArI8q2wk1JuBk0+DSk7Rx5UfxGpVxNvCY6IbSMieSc/Yakct1+vbEn K0o1nRg9G4IZnnppDrchLdIF8gJB5uynS5hERiIQzsmDMUOr5+YpWY3ujpkYD/Vd gWEVaNz/Tg6T6DLJToU/zy4BpnGiNJWY9D12fA1w1ty/lI4ZrjHp7LMkYO2f0gC1 PyNEw6Xe4XVa8aEdwWo4iSPOypl/eGVvzpvX35KWMAgR2EK/uo84Wv8OpPWF76pm +YVcWXbHzENONikzyTsl =atNi -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#579028: pbuilder: installs untrusted packages without asking
Package: pbuilder Version: 0.206 Tags: patch Followup-For: Bug #579028 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear Maintainer, The attached patch changes the defaults to always enforce signed repositories and aborts if an untrusted/manipulated package is installed. It adds the new option --keyring (APTKEYRINGS) to add additional keyrings, which are then used to verify the (local) signed repositories. This way no untrusted packages can be installed. To still allow untrusted/unsigned repositories - they are a very bad idea and allow remote attackers performing a MITM to take over the system, including all built packages - the new option - --allow-untrusted (ALLOWUNTRUSTED) was added. I tested it with the official Debian repository, signed and unsigned local repositories and it works fine for me. But I'm only a "normal" pbuilder user, so I might have missed something. Please test the patch. I haven't tested it with cdebootstrap, but it should work as well. The old PBUILDERSATISFYDEPENDSOPT --check-key option was deprecated and is no longer used (it emits a warning now) as validation is the default now. The patch also contains documentation updates for the new options/variables and updates for the NEWS file describing the necessary changes to continue using untrusted packages (but please don't do that - especially as a Debian developer). Please have a look and include the patch as soon as possible to fix this security issue. Regards, Simon - -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages pbuilder depends on: ii cdebootstrap 0.5.8+b1 ii coreutils 8.13-3 ii debconf [debconf-2.0] 1.5.41 ii debianutils4.2.1 ii debootstrap1.0.38 ii dpkg-dev 1.16.1.2 ii wget 1.13.4-2 Versions of packages pbuilder recommends: pn devscripts 2.11.4 pn fakeroot1.18.2-1 pn sudo Versions of packages pbuilder suggests: pn cowdancer pn gdebi-core pn pbuilder-uml - -- debconf information excluded -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJPVWhvAAoJEJL+/bfkTDL5ivAP/iayE8NRQnyk2HW8R+NiRXU3 uavLilwwpmEZyuciu8GxMQIAhT9HYd/DlkhF9I+yBSd30TO3fl0xW7YV9SaIZ+bv IPwnZbHri4KfeV9Zob/gd2jrT9A2QCoFRW0ny4XNCK3NvtWH5KuH+TG2Mq5CQqdN j4VJ3+76oJcbQbU7AUYXfvKDAsEb7gX+VwTEFLS4GrPkni/FIQJ8HHJhlTscyuCD gQANCoRFZHVSMaas3xqi9KYFKgVS4BZ5Z/9FZuLeY5kWBfcbnIhQloVOWTQZIMRI PhnqP1g62XlPu71K3a/Y2RMAcy3Gs6sUbW4OianIr2iskCndejih/MCb+3LmBFCg Ekxi/CcJGrc7a0pV57Qs8Iwkm1siRZZUxcp4xdD3mo9iayoOt4sfFyrvBCYryilQ 7JKpQc3iNoV3EQql6KBu5G+GmFFWHmokpLvVY27n8LgkV2YSb2wrgxqXPfxcYHj7 0j/y2MFw+HOX/d5YSESMLxn9aiZBi7CkMtlMemzqizxlNlL/+OOZiDsi4vdH8L/j Y0c2i9efjNeooc0/B9wASu/Ck8SWV8wW1EcfTag0p9Rp0avy4hoQUmG+MtgQsV0l MQuWWysyxeJFX4Z8ooau82L6sIGC0L073JH6Y/C7uTOz9gKt+e5tV3fnU+pkWpqH oF3CcmlykKX4SYzhUI/e =6EPj -END PGP SIGNATURE- >From cadc48fb599d436577a6efedc7f25e175652a3a1 Mon Sep 17 00:00:00 2001 Message-Id: From: Simon Ruderich Date: Tue, 6 Mar 2012 02:00:48 +0100 Subject: [PATCH] Enforce valid signed repositories by default. --- debian/NEWS | 19 ++ debian/pbuilder-test/00_prepinstall |2 +- pbuilder-checkparams| 18 + pbuilder-createbuildenv |5 pbuilder-satisfydepends-aptitude|2 +- pbuilder-satisfydepends-checkparams | 19 + pbuilder-updatebuildenv |6 + pbuilder.8 | 20 ++- pbuilderrc | 23 + pbuilderrc.5| 36 ++ 10 files changed, 124 insertions(+), 26 deletions(-) diff --git a/debian/NEWS b/debian/NEWS index 6d144b9..80d36e9 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,22 @@ +pbuilder (0.207) unstable; urgency=low + + The default configuration will now only install trusted packages. This + prevents building packages with manipulated sources or a system compromise + due to a man-in-the-middle attack. + + However this also prevents installing packages from unsigned repositories by + default. + + If you really want to continue using unsigned repositories, you have to set + ALLOWUNTRUSTED=yes in your .pbuilderrc or use the --allow-untrusted option. + But if possible use a signed repository and set the used keys with the new + --keyring option (can be passed multiple times). + + Due to this change the PBUILDERSATISFYDEPENDSOPT option --check-key is no + longer necessary and thus deprecated. + + -- Simon Ruderich Tue, 06 Mar 2012 02:02:38 +0100 + pbuilder (0.197) unstable; urgency=low The default configuration will now enable ccache. To
Bug#579028: pbuilder: installs untrusted packages without asking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA384 Ansgar Burchardt dixit: >decided to reopen it. I do not believe a package in Debian should >disable secure apt by default, allowing a man-in-the-middle to take over >the system. > >This is even more so for a package that is used by many people to >produce binaries for the archive and is likely to be run on systems +1 bye, //mirabilos, who never got the hang of sbuild - -- ch: good, you corrected yourself. ppl tend to tweet such news immediately, sth. like "grml devs seem to be buyable" dileks: we _are_. if you throw enough money in our direction, things will happen everyone is buyable, it's just a matter of priceand now comes [mira] and uses this as a signature ;0 -- they asked for it… -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MirBSD) iQIcBAEBCQAGBQJPRsZYAAoJEHa1NLLpkAfge3wP/A1jaBITOgQcYvsfryXs5otY KaZJO0kgyHa8qVQ3nfSkF2ow+7jP822Ii+/MNetC7r6cFzqbHaeVto7gq9/dz+oD wyo+MLHBsqUh+qzbEz2WlBJSvNH3AeavgCk7rjesJbawf1155aTJeAVtiZDc/Dxe xJKSMbaMWxpXkhfFSHglNjdFVaBfLcmWqEhTD/qV8BH/nfSfPoxHjJo1BJmPteaR x1Ll0cGliVr8kUcnwNgd58xKBGnl8AugKqBPYXnlV2Kcz4b8WutnuVSQe5IRcXg6 rZcWeAnyUYyi/IHmuZO3sNJmGMjmWmII2QbEBXlqpNWSb0IOoACQp+glhONCTiXZ pk5bXv4cF9szcqM2CrqTxSHVeOaa3sLG8S0xewcbQZvIRX2QyO6tLS7TCJu6VYlx wLwQm7ENDHDF19jDso5wNRl07HEXGk0bFyVrCJmFu0+/9iIik5AoAqYieV5L9hJ/ MYP9vuqwvYHA9m4lDmik/BRkTBlt2WrNtHhaEYWJKhVtCuPMJ+SeF7zEulRe7DI9 uqN5JNF7OGLLwuFkMDSBk1rKWUa8GZKAkrm7HnxGx9Agu2Q2zpelb+pxe4w2Xpuv mP8Xa0lip/TFo6bmQAONP1d20sUABcvZUNLxqZoV+uycxwhUHtqgcaHLbc04GPV8 lf8LROeA5EyXmVdoQzEC =huvi -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#579028: pbuilder: installs untrusted packages without asking
At Fri, 11 Jun 2010 18:20:58 -0700, Vagrant Cascadian wrote: > > > in pbuilder-satisfydepends-aptitude:$CHROOTEXEC aptitude -y > --without-recommends -o APT::Install-Recommends=false -o > Aptitude::CmdLine::Ignore-Trust-Violations=true -o > Aptitude::ProblemResolver::StepScore=100 install pbuilder-satisfydepends-dummy > > i don't know if the other satisfydepends scripts have similar issues. > > seems like the Aptitude::CmdLine::Ignore-Trust-Violations=true should at least > be configureable somehow, if not defaulting to false. > > this appears to have been added quite some time ago. from the ChangeLog: > > 2007-04-22 Loic Minier > > * pbuilder-satisfydepends-aptitude: Pass > Aptitude::ProblemResolver::StepScore and > Aptitude::CmdLine::Ignore-Trust-Violations flags to aptitude to > help resolve complex situations relatively common in experimental and > support unsigned repositories like we do for apt-get. > > so it's obviously intentional... Yes, it's intentionally this way, to not to break compatibility with older versions, and support local repositories, and keep pbuilder non-interactive. regards, junichi -- dan...@{netfort.gr.jp,debian.org} -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#579028: pbuilder: installs untrusted packages without asking
At Sun, 25 Apr 2010 00:01:36 +0900, Ansgar Burchardt wrote: > > Package: pbuilder > Version: 0.196 > Severity: grave > Tags: security > Justification: user security hole > > Hi, > > pbuilder will by default install packages from untrusted sources. This > means the system can be compromised by a man in the middle providing > malicious packages. There also seems no way to get pbuilder to stop > doing so. > > pbuilder should (in the default configuration) not install packages that > are not trusted, only when the user explicitly requests this explicitly. I don't agree to this point since this will break all existing configuretions. > > Also when creating the chroot with debootstrap, the --keyring option > should be used so that debootstrap will check for a valid signature. I shall do this. > > Regards, > Ansgar > > -- System Information: > Debian Release: squeeze/sid > APT prefers testing > APT policy: (900, 'testing'), (500, 'unstable'), (1, 'experimental') > Architecture: amd64 (x86_64) > > Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores) > Locale: LANG=C, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > > > > ___ > Pbuilder-maint mailing list > pbuilder-ma...@lists.alioth.debian.org > http://lists.alioth.debian.org/mailman/listinfo/pbuilder-maint > -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#579028: pbuilder: installs untrusted packages without asking
severity wishlist thanks At Sun, 25 Apr 2010 00:01:36 +0900, Ansgar Burchardt wrote: > > Package: pbuilder > Version: 0.196 > Severity: grave > Tags: security > Justification: user security hole > > Hi, > > pbuilder will by default install packages from untrusted sources. This > means the system can be compromised by a man in the middle providing > malicious packages. There also seems no way to get pbuilder to stop > doing so. > > pbuilder should (in the default configuration) not install packages that > are not trusted, only when the user explicitly requests this explicitly. > > Also when creating the chroot with debootstrap, the --keyring option > should be used so that debootstrap will check for a valid signature. > > Regards, > Ansgar > > -- System Information: > Debian Release: squeeze/sid > APT prefers testing > APT policy: (900, 'testing'), (500, 'unstable'), (1, 'experimental') > Architecture: amd64 (x86_64) > > Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores) > Locale: LANG=C, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > > > > ___ > Pbuilder-maint mailing list > pbuilder-ma...@lists.alioth.debian.org > http://lists.alioth.debian.org/mailman/listinfo/pbuilder-maint > -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#579028: pbuilder: installs untrusted packages without asking
On Fri, Jun 11, 2010, Vagrant Cascadian wrote: > 2007-04-22 Loic Minier > > * pbuilder-satisfydepends-aptitude: Pass > Aptitude::ProblemResolver::StepScore and > Aptitude::CmdLine::Ignore-Trust-Violations flags to aptitude to > help resolve complex situations relatively common in experimental and > support unsigned repositories like we do for apt-get. Yes, and it was already the default in pbuilder before this change; it's a long standing open bug. -- Loïc Minier -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#579028: pbuilder: installs untrusted packages without asking
in pbuilder-satisfydepends-aptitude:$CHROOTEXEC aptitude -y --without-recommends -o APT::Install-Recommends=false -o Aptitude::CmdLine::Ignore-Trust-Violations=true -o Aptitude::ProblemResolver::StepScore=100 install pbuilder-satisfydepends-dummy i don't know if the other satisfydepends scripts have similar issues. seems like the Aptitude::CmdLine::Ignore-Trust-Violations=true should at least be configureable somehow, if not defaulting to false. this appears to have been added quite some time ago. from the ChangeLog: 2007-04-22 Loic Minier * pbuilder-satisfydepends-aptitude: Pass Aptitude::ProblemResolver::StepScore and Aptitude::CmdLine::Ignore-Trust-Violations flags to aptitude to help resolve complex situations relatively common in experimental and support unsigned repositories like we do for apt-get. so it's obviously intentional... live well, vagrant -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#579028: pbuilder: installs untrusted packages without asking
Package: pbuilder Version: 0.196 Severity: grave Tags: security Justification: user security hole Hi, pbuilder will by default install packages from untrusted sources. This means the system can be compromised by a man in the middle providing malicious packages. There also seems no way to get pbuilder to stop doing so. pbuilder should (in the default configuration) not install packages that are not trusted, only when the user explicitly requests this explicitly. Also when creating the chroot with debootstrap, the --keyring option should be used so that debootstrap will check for a valid signature. Regards, Ansgar -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (900, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org