[Whonix-devel] qubes-linux-template-builder Debian apt-get --force-yes --yes security issue?

nrgaway nrgaway at gmail.com
Tue Apr 28 00:34:11 CEST 2015

On 27 April 2015 at 18:26, Patrick Schleizer <adrelanos at riseup.net> wrote:

> Hi!
> From
> qubes-linux-template-builder/scripts_debian/vars.sh
> https://github.com/QubesOS/qubes-builder-debian/blob/33109b3ed425fc5c590b5e551ed4739373076609/template_qubuntu/vars.sh#L25
> APT_GET_OPTIONS="-o Dpkg::Options::="--force-confnew" --force-yes --yes"
> Could be a security issue. The combination of --force-yes and --yes is
> insecure. Could lead to installation of unsigned packages.
> Concluded that by reading the source and by remembering a bug report
> against a similar Debian image build script where I did some testing.
> - https://github.com/grml/grml-debootstrap/issues/62
> -
> https://www.whonix.org/wiki/Dev/apt-get#apt-get_Install_Signed_vs_Unsigned_Packages
> I didn't actually test here but I find this quite possible. Highly
> recommend to drop the --force-yes.

Good catch.  I will investigate it further.  The purpose is the
`--force-yes` is to all the over riding package configuration when
initially building the template.  Will see what happens without the force
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.whonix.org/pipermail/whonix-devel/attachments/20150427/807511c7/attachment.html>

More information about the Whonix-devel mailing list