[Piuparts-devel] Bug#545907: Bug#545907: piuparts uses debootstrap in am insecure way

Christoph Anton Mitterer christoph.anton.mitterer at physik.uni-muenchen.de
Thu Sep 10 11:03:36 UTC 2009


Hi Holger.

On Thu, 2009-09-10 at 10:39 +0200, Holger Levsen wrote:
> thanks for your bug report, even though I was aware of the issue, it helps to 
> file bugs to make people fix things they are aware of ;-)
:)


> right. This is a problem for users testing their own packages. For a setup 
> like piuparts.debian.org this is no real problem though, as such a setup 
> needs to deal with potential hostile code anyway.
Yes,.. but at least one can reduce the potential sources for attacks =)


> I guess I will make it use secure apt per default and give an option not to 
> use authentication.
That's probably the best idea. And the manpage should contain a big
warning note on security issues for that option.

> > well at least with deboostrap they're copied into the chroot
> > (IIRC),... not sure about cdebootstrap.
> piuparts uses debootstrap
Oh yes ;) ... Actually I've written this bug at first for pbuilder
(which supports both),.. and nearly copied it for piuparts.
Do you know of other packages that could suffer from this problem, too?


> > - Is this already a problem with current build daemons or whatever?
> > And should we inform those guys on this problem?
> 
> AFAIK buildds don't use secure apt neither. But I'm not sure this is still the 
> case, maybe this has been fixed. 
Whom could I contact on this? Or do you mean the package?


Regads,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3387 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/piuparts-devel/attachments/20090910/71db4342/attachment.bin>


More information about the Piuparts-devel mailing list