FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 07-24-2008, 08:19 AM
Enrico Zini
 
Default Packages built with unchecked dependencies

Hello,

some time ago, I noticed that using the default pbuilder setup I was
not checking signatures on build-dep packages when building my debian
uploads [1] [2] [3]. I thought this was bad, and since then I pay
attention to it.

Now that I have LVM in my laptop and use schroot, I take care of
building the chroots using "debootstrap --keyring=..." [4], which means
that when I download build-deps inside the chroots, the build-deps get
checked.

Then I tried sbuild to build using my schroot setup, and found that by
default it disables signature checking. So I stopped using sbuild until
I find a way to reenable it.

Then I had a look at some random buildd log[5]:

WARNING: The following packages cannot be authenticated!
x11-common libice6 libsm6 libxau6 libxdmcp6 libxcb1 libxcb-xlib0 libx11-data
libx11-6 libxt6 apt-utils bsdmainutils groff-base libnewt0.52 libpopt0
man-db whiptail libmagic1 file gettext-base libidn11 html2text gettext
intltool-debian po-debconf debhelper cdbs cmake defoma dh-buildinfo
[...]
Authentication warning overridden.
[...]

and found that not even our buildds check signatures, and since I
understand that they don't always reside on the same network as the main
ftp archive, nor they connect to it using some sort of VPN (correct me
if I'm wrong), I worry that this means that they also buld packages
using untrusted build-deps.

Am I the only one that feels very, very uncomfortable about this?


Ciao,

Enrico

[1] http://www.enricozini.org/2006/tips/trusted-pbuilder.html
[2] http://wiki.debian.org/SecurePbuilder
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=317998
[4] http://www.enricozini.org/2008/tips/joys-of-schroot.html
[5] http://buildd.debian.org/fetch.cgi?&pkg=libept&ver=0.5.21&arch=i386&stamp=1 216774836&file=log

--
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>
 
Old 07-24-2008, 11:49 PM
Brian May
 
Default Packages built with unchecked dependencies

Enrico Zini wrote:

Then I tried sbuild to build using my schroot setup, and found that by
default it disables signature checking. So I stopped using sbuild until
I find a way to reenable it.


[...]

and found that not even our buildds check signatures, and since I
understand that they don't always reside on the same network as the main
ftp archive, nor they connect to it using some sort of VPN (correct me
if I'm wrong), I worry that this means that they also buld packages
using untrusted build-deps.

Am I the only one that feels very, very uncomfortable about this?

Yes. Errr... I mean... No! It also makes me uncomfortable too. If there
is some good reason, I don't know what it is. Even if the network path
was completely trusted, I can't think why signature checking should be
disabled.



Anyway, I am lazy ;-). How did you reconfigure sbuild to enable
signature checking?



(On the topic of schroot and sbuild, I found this references useful; it
is getting dated now but some parts are still relevant:
<http://www.pseudorandom.co.uk/2007/sbuild/>

if only it mentioned what this "apt-get-update" program/script is)

Thanks.

Brian May


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-25-2008, 02:10 AM
Raphael Geissert
 
Default Packages built with unchecked dependencies

Enrico Zini wrote:

> Hello,
>

Hi,Hhi

>
> Am I the only one that feels very, very uncomfortable about this?

Nope: http://thread.gmane.org/gmane.linux.debian.devel.general/121242

>
>
> Ciao,
>
> Enrico
>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-25-2008, 08:57 AM
Peter Palfrader
 
Default Packages built with unchecked dependencies

On Thu, 24 Jul 2008, Enrico Zini wrote:

> and found that not even our buildds check signatures

The reason they do this is that they build from incoming
(queue/accepted). And incoming is not signed. I asked Ryan and Joerg
if that could be changed a few weeks ago and they said they'd look into
it. Joerg mentioned something about doing it during debcamp.

Cheers,
weasel
--
| .'`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-25-2008, 09:08 AM
Enrico Zini
 
Default Packages built with unchecked dependencies

On Fri, Jul 25, 2008 at 09:49:00AM +1000, Brian May wrote:

>> Am I the only one that feels very, very uncomfortable about this?
> Yes. Errr... I mean... No! It also makes me uncomfortable too. If there
> is some good reason, I don't know what it is. Even if the network path
> was completely trusted, I can't think why signature checking should be
> disabled.

This is mentioned in the thread that Raphael Geisser points to in the
other message: basically, the buildds skip signature checking because
they also need to get packages from incoming, which are not in a signed
repository. I'm following up to this in a reply to Raphael, though.

> Anyway, I am lazy ;-). How did you reconfigure sbuild to enable
> signature checking?

It seems that you can't, in my version of sbuild, unless you patch the
code. The code responsible for disabling signature checking is in
/usr/share/perl5/Sbuild/Chroot.pm and it does not seem to allow any sort
of customisation:

sub _setup_options ($$) {
[...]
if (defined($info) &&
defined($info->{'Location'}) && -d $info->{'Location'}) {
[...]
my $aptconf = "/var/lib/sbuild/apt.conf";
[...]
# Always write out apt.conf, because it may become outdated.
if (my $F = new File::Temp( TEMPLATE => "$aptconf.XXXXXX",
DIR => $self->get('Location'),
UNLINK => 0) ) {
print $F "APT::Get::AllowUnauthenticated true;
";
print $F "APT::Install-Recommends false;
";
if (! rename $F->filename, $chroot_aptconf) {
die "Can't rename $F->filename to $chroot_aptconf: $!
";
}
}
} else {
die $self->get('Chroot ID') . " chroot does not exist
";
}
}

> (On the topic of schroot and sbuild, I found this references useful; it
> is getting dated now but some parts are still relevant:
> <http://www.pseudorandom.co.uk/2007/sbuild/>
> if only it mentioned what this "apt-get-update" program/script is)

You can actually ignore that if you run something like this before you
start doing your builds of the day:

schroot -c sid-source -- sh -c "apt-get update; apt-get dist-upgrade; apt-get autoclean; apt-get clean"


Ciao,

Enrico

--
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>
 
Old 07-25-2008, 09:20 AM
Enrico Zini
 
Default Packages built with unchecked dependencies

On Fri, Jul 25, 2008 at 10:57:40AM +0200, Peter Palfrader wrote:
> On Thu, 24 Jul 2008, Enrico Zini wrote:
> > and found that not even our buildds check signatures
> The reason they do this is that they build from incoming
> (queue/accepted). And incoming is not signed. I asked Ryan and Joerg
> if that could be changed a few weeks ago and they said they'd look into
> it. Joerg mentioned something about doing it during debcamp.

Oh thanks, lovely. I'm glad to hear something's moving: I feel a bit
better now.


Ciao,

Enrico

--
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>
 
Old 07-25-2008, 10:21 AM
Enrico Zini
 
Default Packages built with unchecked dependencies

On Fri, Jul 25, 2008 at 10:08:57AM +0100, Enrico Zini wrote:

> It seems that you can't, in my version of sbuild, unless you patch the
> code.

...and if you want to patch the code, you can actually do it using the
patch that I've just prepared and sent at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492327


Ciao,

Enrico

--
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>
 
Old 07-27-2008, 04:09 PM
Roger Leigh
 
Default Packages built with unchecked dependencies

On Thu, Jul 24, 2008 at 09:19:24AM +0100, Enrico Zini wrote:
> Then I tried sbuild to build using my schroot setup, and found that by
> default it disables signature checking. So I stopped using sbuild until
> I find a way to reenable it.

Just to follow up:

- sbuild initially copied what the buildds were doing, and it also made
sense back when signature checking was new and it broke things, but
not any more.
- over the weekend, I rewrote sbuild-createchroot to work better with
debootstrap, and this includes using --keyring by default so that
signature checking will be enabled by default in the chroot.
- I also applied Enrico's patch which simply makes signature checking
optional, rather than hard-coding it to be disabled, as it was
previously.

This is now in git, and it will be uploaded in the next few days. Any
testing would be appreciated.


Thanks,
Roger

--
.'`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 11:30 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org