Yeah, we were originally considering fixing all of the individual templates but frankly it was just too much of a mess of bad patterns from a variety of different authors with no real consistency.
Instead what we came up with is distrobuilder (https://github.com/lxc/distrobuilder) which has now taken over image building duties for all the images we produce (https://images.linuxcontainers.org) and does have proper https and gpg support from the start. All images we produce are built using public YAML definitions that can be found in https://github.com/lxc/lxc-ci and all of those either rely on https for the download of the base tarball (which then contains what's needed for the package manager to safely fetch packages) or directly contain a custom GPG keyring that's exposed to the image build. The rest of the story is effectively the same as before, all builds happen on our infrastructure (https://jenkins.linuxcontainers.org), images are then pulled, validated and signed by a separate system which then pushes them to the image server. All artifacts are available through both valid https and gpg signed using the key that's baked into the lxc-download script. Back in LXC 3.0 we moved the legacy template scripts to their own repository at https://github.com/lxc/lxc-templates and they are now community maintained without security/lts commitments on them on our side. Ubuntu still ships lxc-templates but it does so in universe rather than main, matching the upstream commitment. ** Changed in: lxc (Ubuntu) Status: New => Fix Released ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1661447 Title: Arbitrary code execution in centos template Status in lxc package in Ubuntu: Fix Released Bug description: All the RPM's which get installed in an lxc-centos container are downloaded insecurely over http and then installed with yum --nogpgcheck. A man in the middle attacker, web proxy admin, or whoever can use this to install arbitrary code in to the container which will then get executed as root. The GPG keys should probably be shipped as part of the package where they are covered by the root of trust for the host distro. Or at the very least, https should be used to fetch the RPMs. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1661447/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
