Package: debootstrap
Version: 1.0.38
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
If the keyring file specified by a script with the keyring()
function doesn't exist, debootstrap prints only warning but the
installation continues.
As the script clearly mentions the keyring and thus relies on its
existence to verify the download, this should cause an error and
abort the debootstrap installation. Otherwise a misconfiguration
or incomplete installation (missing keyrings) can lead to
download and installation of unverified packages.
The following patch fixes this issue and aborts the installation:
--- functions.orig 2012-02-27 18:42:58.000000000 +0100
+++ functions 2012-02-27 18:43:02.000000000 +0100
@@ -508,7 +508,7 @@
"$relsigdest" "$reldest" || true) | read_gpg_status
progress 100 100 DOWNRELSIG "Downloading Release file signature"
elif [ -z "$DISABLE_KEYRING" ] && [ -n "$KEYRING_WANTED" ]; then
- warning KEYRING "Cannot check Release signature; keyring file
not available %s" "$KEYRING_WANTED"
+ error 1 KEYRING "Cannot check Release signature; keyring file
not available %s" "$KEYRING_WANTED"
fi
}
I'm no debootstrap expert so I may be overlooking something here,
if so please tell me. But I think --no-check-gpg already takes
care of the case if no verification is required.
Regards,
Simon
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages debootstrap depends on:
ii wget 1.13.4-2
Versions of packages debootstrap recommends:
ii debian-archive-keyring 2010.08.28
ii gnupg 1.4.11-3
debootstrap suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJPS8KlAAoJEJL+/bfkTDL5E4sP/0oOOVIENN7hmzhpkT3qw55W
QNUMrVB/yNI8PXvrtDvcPIH4bqs+XB8wacUhgsuTpEtNbyrEAn1ej5V3kVjpuUGy
m0fYyP7ak0JCQu2ZWDY8d99XPseskDJ3ZdJMAROw8SYTaATZ92zQ8DBe/1VHWIg9
P0o+lxDYvtiPb73sbOAtVRFGnu1YOBmeoAJHjk4/hBJ5I6ZzePRKKDoF0p8vrW3M
r9BAaDVwxLrq75hqtrH0nV4GS19hgiWxo7EI6cuaAtyOdxO774AjN2YkydViPzid
JP50dJAWbIow7DYF8cS1d+0JC3pWpKy+H9lG68/Q7f5E3D/IKW0mdOPwASYSUgzy
ac64+Gio5r0WC+Y3XT4iilMms2Na7J2j0ZK7L1ZlpwVg1sFmH4aQUNqAUR6jb70T
t25K4HqAkC1OtDf2Zha663Nu5TNiO3GgNn9AV+WB5mDauZZIzYAQWJ/JHMwvyYt6
x18TA1Umey1VeTdkcpbNhaM0qBom/HaO2fPlxDG9EEqKnUXAyhMQ5L2bQiOyiGGb
iZnEImOa2e/TlzII0hcUX/36p7+ai0ydfhFcVLZRT754PRBmPOn2L/mDOQxRryPn
QtxG888K9K91KnCif2dzOHT4Mejup7fVz0zKT1lLZoFpF3Nj2uj6+POTUw+/2Z59
s+E+OhWLTo9VcOe89tTi
=G5Se
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
