[Whonix-devel] [qubes-devel] Re: qubes-linux-template-builder Debian apt-get --force-yes --yes security issue?

Patrick Schleizer patrick-mailinglists at whonix.org
Wed Jun 24 02:02:51 CEST 2015 

Marek Marczykowski-Górecki:
> On Sat, May 02, 2015 at 02:13:20PM +0000, Patrick Schleizer wrote:
>> Jason M:
>>>
>>>
>>> On Monday, 27 April 2015 18:34:12 UTC-4, Jason M wrote:
>>>>
>>>> On 27 April 2015 at 18:26, Patrick Schleizer wrote:
>>>>
>>>>> Hi!
>>>>>
>>>>> From
>>>>> qubes-linux-template-builder/scripts_debian/vars.sh
>>>>>
>>>>> https://github.com/QubesOS/qubes-builder-debian/blob/33109b3ed425fc5c590b5e551ed4739373076609/template_qubuntu/vars.sh#L25
>>>>>
>>>>> APT_GET_OPTIONS="-o Dpkg::Options::="--force-confnew" --force-yes --yes"
>>>>>
>>>>> Could be a security issue. The combination of --force-yes and --yes is
>>>>> insecure. Could lead to installation of unsigned packages.
>>>>>
>>>>> Concluded that by reading the source and by remembering a bug report
>>>>> against a similar Debian image build script where I did some testing.
>>>>>
>>>>> - https://github.com/grml/grml-debootstrap/issues/62
>>>>> -
>>>>>
>>>>> https://www.whonix.org/wiki/Dev/apt-get#apt-get_Install_Signed_vs_Unsigned_Packages
>>>>>
>>>>> I didn't actually test here but I find this quite possible. Highly
>>>>> recommend to drop the --force-yes.
>>>>>
>>>>
>>>> Good catch.  I will investigate it further.  The purpose is the 
>>>> `--force-yes` is to all the over riding package configuration when 
>>>> initially building the template.  Will see what happens without the force 
>>>> option.
>>>>
>>>
>>> I removed the --force-yes option and everything seems to build fine still.  
>>> I will submit a PR most likely tonight after some more testing has been 
>>> completed. 
>>>  
>>>
> 
>> Any news on this?
> 
> Jason already submitted pull request with this change, but I haven't
> merged it yet. Will do probably today or tomorrow.

I haven't found the pull request ( not
https://github.com/QubesOS/qubes-linux-template-builder/pulls?utf8=%E2%9C%93&q=
- where else? ).

Also no related git log entry.

Just to be sure, has this been done?

Cheers,
Patrick

More information about the Whonix-devel mailing list