Thijs Kinkhorst
2011-Jan-15 10:46 UTC
[Secure-testing-team] Bug#610086: Do not use --allow-unauthenticated to fetch packages
Package: ia32-libs Version: 20110115 Severity: important Tags: security patch Hi, The fetch-and-build script uses --allow-unauthenticated to download the packages to include in the build. This is quite undesirable because essentially this unnecessarily breaks the trust chain for the hundreds of megabytes of package data that are used to build this package. Please include attached patch which resolves that by bootstrapping the APT trustdb with the keys installed on the local system. Cheers, Thijs -------------- next part -------------- --- fetch-and-build.orig 2011-01-15 11:09:06.691996158 +0100 +++ fetch-and-build 2011-01-15 11:31:58.643990659 +0100 @@ -59,15 +59,10 @@ mkdir -p $APTDIR/state/lists/partial mkdir -p $APTDIR/cache/archives/partial echo -n > $APTDIR/state/status +# Bootstrap APT keystore with the one from the local system +cp -a /etc/apt/trusted.gpg $APTDIR/etc/ -# Probe apt version for --allow-unauthenticated -APT_VER=$(apt-get --version | head --lines 1 | cut -d" " -f2) -if dpkg --compare-versions "$APT_VER" ">=" 0.6; then - # Sid apt needs authentication - APT_AUTH="--allow-unauthenticated" -fi - -APT_GET="$APT_GET $APT_AUTH" +APT_GET="$APT_GET" $APT_GET update $APT_GET autoclean