[Piuparts-devel] Bug#545907: Bug#545907: piuparts uses debootstrap in am insecure way

Holger Levsen holger at layer-acht.org
Thu Sep 10 08:39:22 UTC 2009


tags 545907 +security
thanks

Hi Christoph,

thanks for your bug report, even though I was aware of the issue, it helps to 
file bugs to make people fix things they are aware of ;-)

On Mittwoch, 9. September 2009, Christoph Anton Mitterer wrote:
> debootstrap (unlike cdebootstrap IIRC) does not check signatures on
> any packages per default, but only when the "--keyring" option is used.
>
> This has the potential security problem, that users are building (and
> thus executing code) that is not verified.

right. This is a problem for users testing their own packages. For a setup 
like piuparts.debian.org this is no real problem though, as such a setup 
needs to deal with potential hostile code anyway.

> 2) If nothing off the above is specified, piuparts should fail.

I guess I will make it use secure apt per default and give an option not to 
use authentication.

> I'm not sure about the following:
> - As piuparts installs stuff inside the already bootstrapped chroot,
> there may be additional possibilities for insecure packages. But I
> assume you use always apt there, right? And this should use keys,..

yes

> well at least with deboostrap they're copied into the chroot
> (IIRC),... not sure about cdebootstrap.

piuparts uses debootstrap

> - Is this already a problem with current build daemons or whatever?
> And should we inform those guys on this problem?

AFAIK buildds don't use secure apt neither. But I'm not sure this is still the 
case, maybe this has been fixed. 


regards,
	Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/piuparts-devel/attachments/20090910/f78b76f3/attachment.pgp>


More information about the Piuparts-devel mailing list