Hi Christoph, Christoph Anton Mitterer wrote: > In the most recent NEWS.Debian entry, you describe how users > can retrieve an old version of the screen package in order to > connect to pre 4.1 sesssions. > > A security problem IMHO is, that a simple download, not even > https secured (which also wouldn't be that good), is advised.
HTTPS may not be supported by all mirrors returned by cdn.debian.net. Additionally for APT via HTTPS to work, a separate package (apt-transport-https) is needed which may not be installed. See also below. > This makes a "hole" in secure APT; which otherwise only > brings secred packages in the system. Valid point. > Now there are several ways to get around this, amongst others: > a) Suggest the users instead to add a sources.list entry > for oldstable (where a old screen should be avaiable) and a > command to downgrade to that. I consciously avoid APT and dpkg at that point as the howto must work even when the dpkg or APT state databases are locked by a process running inside the currently not reachable screen session. This includes also installing further packages to get things done, like e.g. devscripts for dget, debian-goodies for debget, or apt-transport-https for HTTPS support. I can check if apt-get update and apt-get install -d work without locking. If so, this is potentially an alternative. But from my mind, I'd say there is some locking so this wouldn't work. > b) Include SHA512 sums for the .deb files of the most recent > 4.0.3 version for all architectures. Cumbersome, but also an option. I though fear that it's too cumbersome so noone would actually check the hashsum. So I'd rather use something like the following which IMHO is more user-friendly as it's copy & paste only and the user doesn't have to find out which hashsum to check, just those which have been displayed. wget http://cdn.debian.net/debian/dists/squeeze/Release wget http://cdn.debian.net/debian/dists/squeeze/Release.gpg if [ -r /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ]; then gpgv --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg Release.gpg Release else gpgv Release.gpg Release fi ARCH=`dpkg --print-architecture` wget http://cdn.debian.net/debian/dists/squeeze/main/binary-$ARCH/Packages.gz sha256sum Packages.gz fgrep main/binary-$ARCH/Packages.gz Release # Check if hashsums are the same. If yes, continue wget http://cdn.debian.net/debian/`zegrep -A13 '^Package: screen$' Packages.gz | awk '/^Filename:/ {print $2}'` zegrep -A13 '^Package: screen$' Packages.gz sha256sum screen_*.deb # Check if hashsums are the same. If yes, continue dpkg-deb --fsys-tarfile screen_4.0.3-14*.deb | tar xvf - ./usr/bin/screen usr/bin/screen -rd sha256sum comes from coreutils, *grep from gzip + grep (all essential). Only wget and gpgv are just of priority important. Unfortunately I can't use the same keyring on Sid/Wheezy and Squeeze, so depending on how far the upgrade went, I have to use a different keyring for gpgv. > I'd suggest a), As mentioned above, it must also work if dpkg or APT are locked and I suspect that this means that apt-get can't be used at all. > as b) has the disadvantages that the sums get out of date, once > there should be a security upload of a newer 4.0.3 version to > oldstable. That problem arises even with the current instructions since the package's version is already hardcoded. It has been addressed in the example above, too. Is the above "howto" ok for you with regards to secure APT? Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE `- | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
