Hi apt maintainers,
FYI: I got a bugreport (#610086) for ia32-libs because it still used
--allow-unauthenticated when fetching packages and sources. The problem
is that it runs apt-get as user so it does not have access to the
critical files in /etc/apt. I'm CCing you in the hope you have a
solution for this.
Thijs Kinkhorst <th...@debian.org> writes:
> Package: ia32-libs
> Version: 20110115
> Severity: important
> Tags: security patch
>
> Hi,
>
> The fetch-and-build script uses --allow-unauthenticated to download the
> packages to include in the build. This is quite undesirable because
> essentially this unnecessarily breaks the trust chain for the hundreds
> of megabytes of package data that are used to build this package.
>
> Please include attached patch which resolves that by bootstrapping the
> APT trustdb with the keys installed on the local system.
>
>
> Cheers,
> Thijs
>
> --- fetch-and-build.orig 2011-01-15 11:09:06.691996158 +0100
> +++ fetch-and-build 2011-01-15 11:31:58.643990659 +0100
> @@ -59,15 +59,10 @@
> mkdir -p $APTDIR/state/lists/partial
> mkdir -p $APTDIR/cache/archives/partial
> echo -n > $APTDIR/state/status
> +# Bootstrap APT keystore with the one from the local system
> +cp -a /etc/apt/trusted.gpg $APTDIR/etc/
>
> -# Probe apt version for --allow-unauthenticated
> -APT_VER=$(apt-get --version | head --lines 1 | cut -d" " -f2)
> -if dpkg --compare-versions "$APT_VER" ">=" 0.6; then
> - # Sid apt needs authentication
> - APT_AUTH="--allow-unauthenticated"
> -fi
> -
> -APT_GET="$APT_GET $APT_AUTH"
> +APT_GET="$APT_GET"
>
> $APT_GET update
> $APT_GET autoclean
Yeah, this would be nice. BUT:
-rw------- 1 root root 12K Nov 16 2009 /etc/apt/trusted.gpg
Non-root users do not have permissions for this file and I'm not going
to build ia32-libs as root.
Apt team: Would it be possible to make this file world readable?
MfG
Goswin
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
