[Whonix-devel] [qubes-devel] Re: qubes-linux-template-builder Debian apt-get --force-yes --yes security issue?
Marek Marczykowski-Górecki
marmarek at invisiblethingslab.com
Wed Jun 24 02:16:33 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, Jun 24, 2015 at 12:02:51AM +0000, Patrick Schleizer wrote:
> Marek Marczykowski-Górecki:
> > On Sat, May 02, 2015 at 02:13:20PM +0000, Patrick Schleizer wrote:
> >> Jason M:
> >>>
> >>>
> >>> On Monday, 27 April 2015 18:34:12 UTC-4, Jason M wrote:
> >>>>
> >>>> On 27 April 2015 at 18:26, Patrick Schleizer wrote:
> >>>>
> >>>>> Hi!
> >>>>>
> >>>>> From
> >>>>> qubes-linux-template-builder/scripts_debian/vars.sh
> >>>>>
> >>>>> https://github.com/QubesOS/qubes-builder-debian/blob/33109b3ed425fc5c590b5e551ed4739373076609/template_qubuntu/vars.sh#L25
> >>>>>
> >>>>> APT_GET_OPTIONS="-o Dpkg::Options::="--force-confnew" --force-yes --yes"
> >>>>>
> >>>>> Could be a security issue. The combination of --force-yes and --yes is
> >>>>> insecure. Could lead to installation of unsigned packages.
> >>>>>
> >>>>> Concluded that by reading the source and by remembering a bug report
> >>>>> against a similar Debian image build script where I did some testing.
> >>>>>
> >>>>> - https://github.com/grml/grml-debootstrap/issues/62
> >>>>> -
> >>>>>
> >>>>> https://www.whonix.org/wiki/Dev/apt-get#apt-get_Install_Signed_vs_Unsigned_Packages
> >>>>>
> >>>>> I didn't actually test here but I find this quite possible. Highly
> >>>>> recommend to drop the --force-yes.
> >>>>>
> >>>>
> >>>> Good catch. I will investigate it further. The purpose is the
> >>>> `--force-yes` is to all the over riding package configuration when
> >>>> initially building the template. Will see what happens without the force
> >>>> option.
> >>>>
> >>>
> >>> I removed the --force-yes option and everything seems to build fine still.
> >>> I will submit a PR most likely tonight after some more testing has been
> >>> completed.
> >>>
> >>>
> >
> >> Any news on this?
> >
> > Jason already submitted pull request with this change, but I haven't
> > merged it yet. Will do probably today or tomorrow.
>
> I haven't found the pull request ( not
> https://github.com/QubesOS/qubes-linux-template-builder/pulls?utf8=%E2%9C%93&q=
> - where else? ).
Jason create pull requests to my repositories. This is the one you are
looking for:
https://github.com/marmarek/qubes-builder-debian/pull/8
> Also no related git log entry.
>
> Just to be sure, has this been done?
Yes.
Also you're probably interested in this one:
https://github.com/marmarek/qubes-builder-debian/pull/11
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVifbhAAoJENuP0xzK19cslZcIAJBWWmwlV7/qTxGIzUEE6Nme
ogiiXWln+SBanjBXdgSJgFN7XCIJTpwK3m55dvWsj/xklVEZUn5XMlanwzSnanIB
K9nq1gtuETp+9vt0Xkjk+2z2xLukEgaETmpU7IcmxcQYl8zgnAbHeA4Ds8Ea6Rzx
H4KliEV46LEe+5+E2L+9AXrrwwKuLHe4NMb85ReEr04V8hOrj8vdHSNd0iP8N813
HmPBsWLR3EBTYdnSpx0GJphfGUmx7tKE/WLVPhAWUOvp+RVwj/ASsPwApxK8T706
1EivVVCKC2oMQA4IN1nNWI2aiMCn3SjpgBdPH5SvwM6pWR8lvHrhlh9gEBD4hfs=
=gtI+
-----END PGP SIGNATURE-----
More information about the Whonix-devel
mailing list