[Whonix-devel] [qubes-devel] Re: qubes-linux-template-builder Debian apt-get --force-yes --yes security issue?
Marek Marczykowski-Górecki
marmarek at invisiblethingslab.com
Sat May 2 16:18:04 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat, May 02, 2015 at 02:13:20PM +0000, Patrick Schleizer wrote:
> Jason M:
> >
> >
> > On Monday, 27 April 2015 18:34:12 UTC-4, Jason M wrote:
> >>
> >> On 27 April 2015 at 18:26, Patrick Schleizer wrote:
> >>
> >>> Hi!
> >>>
> >>> From
> >>> qubes-linux-template-builder/scripts_debian/vars.sh
> >>>
> >>> https://github.com/QubesOS/qubes-builder-debian/blob/33109b3ed425fc5c590b5e551ed4739373076609/template_qubuntu/vars.sh#L25
> >>>
> >>> APT_GET_OPTIONS="-o Dpkg::Options::="--force-confnew" --force-yes --yes"
> >>>
> >>> Could be a security issue. The combination of --force-yes and --yes is
> >>> insecure. Could lead to installation of unsigned packages.
> >>>
> >>> Concluded that by reading the source and by remembering a bug report
> >>> against a similar Debian image build script where I did some testing.
> >>>
> >>> - https://github.com/grml/grml-debootstrap/issues/62
> >>> -
> >>>
> >>> https://www.whonix.org/wiki/Dev/apt-get#apt-get_Install_Signed_vs_Unsigned_Packages
> >>>
> >>> I didn't actually test here but I find this quite possible. Highly
> >>> recommend to drop the --force-yes.
> >>>
> >>
> >> Good catch. I will investigate it further. The purpose is the
> >> `--force-yes` is to all the over riding package configuration when
> >> initially building the template. Will see what happens without the force
> >> option.
> >>
> >
> > I removed the --force-yes option and everything seems to build fine still.
> > I will submit a PR most likely tonight after some more testing has been
> > completed.
> >
> >
>
> Any news on this?
Jason already submitted pull request with this change, but I haven't
merged it yet. Will do probably today or tomorrow.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVRNycAAoJENuP0xzK19csYAMH/0vi/XmbzVMfeur7u7thOZOi
v1AzwUjp3WjKu1qY35l2rntufF+r+ysi7SvAZo6Uj+B/LhDY7KSg8DzT7snKkEtm
BoEOR90/yR1Jzr2C3nUpW3jcs+O9zD4+s3MBBp4PSKQ0uvkLt4Pqrod0KSntyR/7
LQEEGLaxJsCL8vr584mwWt08JxhJCufahryWChi6if+kA9Db1hN0UdLV9hR1Arov
YPcn8qN6zPPv0BdKoFnEzt5F/XlNfPipEjSKJTMYAOmZRsikTr5psF7s/Krf3mZQ
E/lNokMVgyvtbJdU4g4woN99sOGjRqzcv3ANc4UQQ326Oj+5y1IR5j+wd1r6tZY=
=Tv/F
-----END PGP SIGNATURE-----
More information about the Whonix-devel
mailing list