Debian Bug report logs - #703146
apt: BADSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze)?

version graph

Package: debootstrap; Maintainer for debootstrap is Debian Install System Team <debian-boot@lists.debian.org>; Source for debootstrap is src:debootstrap.

Reported by: Steven Shiau <steven@nchc.org.tw>

Date: Sat, 16 Mar 2013 08:45:01 UTC

Severity: serious

Tags: confirmed

Merged with 704190

Found in version debootstrap/1.0.44

Fixed in version debootstrap/1.0.47

Done: Christian Perrier <bubulle@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, steven@nchc.org.tw, APT Development Team <deity@lists.debian.org>:
Bug#703146; Package apt. (Sat, 16 Mar 2013 08:45:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Shiau <steven@nchc.org.tw>:
New Bug report received and forwarded. Copy sent to steven@nchc.org.tw, APT Development Team <deity@lists.debian.org>. (Sat, 16 Mar 2013 08:45:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steven Shiau <steven@nchc.org.tw>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apt: BADSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze)?
Date: Sat, 16 Mar 2013 16:47:19 +0800
[Message part 1 (text/plain, inline)]
Package: apt
Version: 0.9.7.8
Severity: important

Dear Maintainer,
I got an error: 
W: GPG error: http://ftp.us.debian.org sid Release: The following signatures were invalid: BADSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>
when run "apt-get update" in a debootstrap sid base system.
The steps to reproduce this issue:
1. LANG=C debootstrap --verbose --arch=i386 sid sid-chroot http://ftp.us.debian.org/debian
2. chroot sid-chroot/
3. apt-get update
Get:1 http://ftp.us.debian.org sid Release.gpg [836 B]
Hit http://ftp.us.debian.org sid Release
Ign http://ftp.us.debian.org sid Release
Get:2 http://ftp.us.debian.org sid/main i386 Packages/DiffIndex [7876 B]
Get:3 http://ftp.us.debian.org sid/main Translation-en [4111 kB]
Fetched 4120 kB in 12s (331 kB/s)
Reading package lists... Done
W: GPG error: http://ftp.us.debian.org sid Release: The following signatures were invalid: BADSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>

Two days ago the same steps worked without any issue. Attached please find the whole log.

-- Package-specific info:

-- (no /etc/apt/preferences present) --


-- (/etc/apt/sources.list present, but not submitted) --


-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages apt depends on:
ii  debian-archive-keyring  2012.4
ii  gnupg                   1.4.12-7
ii  libapt-pkg4.12          0.9.7.8
ii  libc6                   2.13-38
ii  libgcc1                 1:4.7.2-5
ii  libstdc++6              4.7.2-5

apt recommends no packages.

Versions of packages apt suggests:
pn  apt-doc                      <none>
pn  aptitude | synaptic | wajig  <none>
ii  dpkg-dev                     1.16.9
pn  python-apt                   <none>
ii  xz-utils                     5.1.1alpha+20120614-2

-- no debconf information
[sid-apt-err.txt (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#703146; Package apt. (Sat, 16 Mar 2013 10:27:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Kalnischkies <kalnischkies+debian@gmail.com>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Sat, 16 Mar 2013 10:27:11 GMT) Full text and rfc822 format available.

Message #10 received at 703146@bugs.debian.org (full text, mbox):

From: David Kalnischkies <kalnischkies+debian@gmail.com>
To: Steven Shiau <steven@nchc.org.tw>, 703146@bugs.debian.org
Subject: Re: Bug#703146: apt: BADSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze)?
Date: Sat, 16 Mar 2013 11:24:38 +0100
Hi Steven,

could you please try again?

This is very likely a temporary mirror hiccup while it is syncing.

With disabling InRelease we get all the Release vs. Release.gpg mismatches
back, which look/are more critical than the (In)Release vs. Packages & Co.
mismatches. There are various ideas to make syncs more atomic, but none
is foolproof - and need "provider" support as APT is only a "consumer" here.


Best regards

David Kalnischkies



Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#703146; Package apt. (Sat, 16 Mar 2013 12:12:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Shiau <steven@nchc.org.tw>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Sat, 16 Mar 2013 12:12:09 GMT) Full text and rfc822 format available.

Message #15 received at 703146@bugs.debian.org (full text, mbox):

From: Steven Shiau <steven@nchc.org.tw>
To: David Kalnischkies <kalnischkies+debian@gmail.com>
Cc: 703146@bugs.debian.org
Subject: Re: Bug#703146: apt: BADSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze)?
Date: Sat, 16 Mar 2013 20:08:56 +0800
Hi David,
I did a test 10 minutes ago, but still got the same error.
Anything more I can test here?
Thanks.

Steven.

On 03/16/2013 06:24 PM, David Kalnischkies wrote:
> Hi Steven,
> 
> could you please try again?
> 
> This is very likely a temporary mirror hiccup while it is syncing.
> 
> With disabling InRelease we get all the Release vs. Release.gpg mismatches
> back, which look/are more critical than the (In)Release vs. Packages & Co.
> mismatches. There are various ideas to make syncs more atomic, but none
> is foolproof - and need "provider" support as APT is only a "consumer" here.
> 
> 
> Best regards
> 
> David Kalnischkies
> 

-- 
Steven Shiau <steven _at_ nchc org tw> <steven _at_ stevenshiau org>
National Center for High-performance Computing, Taiwan.
http://www.nchc.org.tw
Public Key Server PGP Key ID: 4096R/47CF935C
Fingerprint: 0240 1FEB 695D 7112 62F0  8796 11C1 12DA 47CF 935C



Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#703146; Package apt. (Sat, 16 Mar 2013 19:12:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Sat, 16 Mar 2013 19:12:07 GMT) Full text and rfc822 format available.

Message #20 received at 703146@bugs.debian.org (full text, mbox):

From: Holger Levsen <holger@layer-acht.org>
To: 703146@bugs.debian.org
Cc: 703146-subscribe@bugs.debian.org
Subject: jenkins.debian.net also affected
Date: Sat, 16 Mar 2013 12:10:10 -0700
Hi,

at http://jenkins.debian.net/view/chroot-installation/ you can see several 
jobs which started failing yesterday and which all show symptoms of this bug.

I'd be very happy to learn about any workaround I can use to make this jobs 
succeed again...


cheers,
	Holger



Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#703146; Package apt. (Sun, 17 Mar 2013 09:51:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Vogt <mvo@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Sun, 17 Mar 2013 09:51:06 GMT) Full text and rfc822 format available.

Message #25 received at 703146@bugs.debian.org (full text, mbox):

From: Michael Vogt <mvo@debian.org>
To: David Kalnischkies <kalnischkies+debian@gmail.com>, 703146@bugs.debian.org
Cc: Steven Shiau <steven@nchc.org.tw>
Subject: Re: Bug#703146: apt: BADSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze)?
Date: Sun, 17 Mar 2013 10:48:14 +0100
On Sat, Mar 16, 2013 at 11:24:38AM +0100, David Kalnischkies wrote:
> Hi Steven,
Hi David and Steven,
 
> could you please try again?
> 
> This is very likely a temporary mirror hiccup while it is syncing.
> 
> With disabling InRelease we get all the Release vs. Release.gpg mismatches
> back, which look/are more critical than the (In)Release vs. Packages & Co.
> mismatches. There are various ideas to make syncs more atomic, but none
> is foolproof - and need "provider" support as APT is only a "consumer" here.

I can reproduce this here:
"""
$ sudo LANG=C debootstrap --verbose --arch=i386 sid sid-chroot
...
$ sudo chroot sid-chroot
root@bod:/# ls -l /var/lib/apt/lists/
total 30028
-rw-r--r-- 1 root root   236078 Mar 17 02:22
ftp.us.debian.org_debian_dists_sid_Release
-rw-r--r-- 1 root root 30506862 Mar 17 02:02
ftp.us.debian.org_debian_dists_sid_main_binary-i386_Packages
drwxr-xr-x 2 root root     4096 Mar 17 09:21 partial

root@bod:/# apt-get update
Get:1 http://ftp.us.debian.org sid Release.gpg [836 B]
Hit http://ftp.us.debian.org sid Release
Ign http://ftp.us.debian.org sid Release
Get:2 http://ftp.us.debian.org sid/main i386 Packages/DiffIndex [7876
B]
Get:3 http://ftp.us.debian.org sid/main Translation-en [4112 kB]
Fetched 4120 kB in 9s (436 kB/s)                                               
Reading package lists... Done
W: GPG error: http://ftp.us.debian.org sid Release: The following
signatures were invalid: BADSIG AED4B06F473041FA Debian Archive
Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>
"""

And indeed, there is something funny going on, looking at:
# head /var/lib/apt/lists/ftp.us.debian.org_debian_dists_sid_Release
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Origin: Debian
...

shows that its actually the InRelease file after the apt-get update
which of course does not verify against the Release.gpg.

It looks like debootstrap is putting it here, I just re-ran
debootstrap and indeed, the file put there in the chroot is called
"_Release" but its actually the "_InRelease" file. Apt-get update will
send a if-modified-since header to the remote server and get a
"not-modified" so leaves the Release file alone but the downloaded
Release.gpg does not match.

Renaming the downloaded _Release file to _InRelease fixes the
issue. This bug in debootstrap was masked by the previous apt that was
downloding a new InRelease and not touch the already present Release
file - but now that InRelease support is disabled its triggered.

Cheers,
 Michael



Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#703146; Package apt. (Sun, 17 Mar 2013 19:15:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Vogt <mvo@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Sun, 17 Mar 2013 19:15:07 GMT) Full text and rfc822 format available.

Message #30 received at 703146@bugs.debian.org (full text, mbox):

From: Michael Vogt <mvo@debian.org>
To: David Kalnischkies <kalnischkies+debian@gmail.com>, 703146@bugs.debian.org
Subject: Re: Bug#703146: apt: BADSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze)?
Date: Sun, 17 Mar 2013 20:13:14 +0100
[Message part 1 (text/plain, inline)]
On Sun, Mar 17, 2013 at 10:48:14AM +0100, Michael Vogt wrote:
> On Sat, Mar 16, 2013 at 11:24:38AM +0100, David Kalnischkies wrote:
[..]
> It looks like debootstrap is putting it here, I just re-ran
> debootstrap and indeed, the file put there in the chroot is called
> "_Release" but its actually the "_InRelease" file. Apt-get update will
> send a if-modified-since header to the remote server and get a
> "not-modified" so leaves the Release file alone but the downloaded
> Release.gpg does not match.
[..]

The attached debdiff should fix it in debootstrap. It adds a gpg
dependency though.

Cheers,
 Michael
[debootstrap_1.0.44.1.debdiff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#703146; Package apt. (Tue, 19 Mar 2013 05:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to steven@nchc.org.tw:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Tue, 19 Mar 2013 05:51:04 GMT) Full text and rfc822 format available.

Message #35 received at 703146@bugs.debian.org (full text, mbox):

From: Steven Shiau <steven@nchc.org.tw>
To: Michael Vogt <mvo@debian.org>
Cc: David Kalnischkies <kalnischkies+debian@gmail.com>, 703146@bugs.debian.org
Subject: Re: Bug#703146: apt: BADSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze)?
Date: Tue, 19 Mar 2013 13:49:38 +0800
Hi Michael,
I confirmed that your patch does fix this issue.
Thanks.
Hope this patch will be applied in the next version of debootstrap...

Steven.
-- 
Steven Shiau <steven _at_ nchc org tw> <steven _at_ stevenshiau org>
National Center for High-performance Computing, Taiwan.
http://www.nchc.org.tw
Public Key Server PGP Key ID: 4096R/47CF935C
Fingerprint: 0240 1FEB 695D 7112 62F0  8796 11C1 12DA 47CF 935C



Bug reassigned from package 'apt' to 'debootstrap'. Request was from Michael Vogt <mvo@debian.org> to control@bugs.debian.org. (Tue, 19 Mar 2013 16:12:13 GMT) Full text and rfc822 format available.

No longer marked as found in versions apt/0.9.7.8. Request was from Michael Vogt <mvo@debian.org> to control@bugs.debian.org. (Tue, 19 Mar 2013 16:12:14 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Wed, 20 Mar 2013 01:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thierry <sage-debian-live-bugreport@lma.metelu.net>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Wed, 20 Mar 2013 01:03:04 GMT) Full text and rfc822 format available.

Message #44 received at 703146@bugs.debian.org (full text, mbox):

From: Thierry <sage-debian-live-bugreport@lma.metelu.net>
To: 703146@bugs.debian.org
Subject: Re: Bug#703146: apt: BADSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze)?
Date: Wed, 20 Mar 2013 02:09:09 +0100
Hi,

i fall on a similar problem while running the following command on
wheezy (you should have live-config live-boot live-build packages
installed):

lb config --architectures i386 ; sudo lb build

I got the same warning (which eventually lead to an error saying that
some packages cannot be authenticated):

W: GPG error: http://ftp.debian.org wheezy Release: The following
signatures were invalid: BADSIG AED4B06F473041FA Debian Archive
Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>

Hope this helps to reproduce the bug and check the fix.

Ciao,
Thierry




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Wed, 20 Mar 2013 03:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to steven@nchc.org.tw:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Wed, 20 Mar 2013 03:51:05 GMT) Full text and rfc822 format available.

Message #49 received at 703146@bugs.debian.org (full text, mbox):

From: Steven Shiau <steven@nchc.org.tw>
To: Michael Vogt <mvo@debian.org>
Cc: David Kalnischkies <kalnischkies+debian@gmail.com>, 703146@bugs.debian.org
Subject: Re: Bug#703146: apt: BADSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze)?
Date: Wed, 20 Mar 2013 11:47:41 +0800
[Message part 1 (text/plain, inline)]
I suggest to add a command "rm -f $reldest" before the gpg command, as 
attached.
Otherwise although it works for debootstrap, however, when using with 
Debian live-build, it will enter interactive mode:
=========================================
P: If the following stage fails, the most likely cause of the problem is 
with your mirror configuration, a caching proxy or the sid distribution.
P: Running debootstrap...
I: Retrieving InRelease
I: Checking Release signature
I: Valid Release signature (key id 9FED2BCBDCD29CDF762678CBAED4B06F473041FA)
File 
`/work/debian-live/chroot/var/lib/apt/lists/debootstrap.invalid_dists_sid_Release' 
exists. Overwrite? (y/N)
=========================================

My 2 cents.

Steven.

-- 
Steven Shiau <steven _at_ nchc org tw> <steven _at_ stevenshiau org>
National Center for High-performance Computing, Taiwan.
http://www.nchc.org.tw
Public Key Server PGP Key ID: 4096R/47CF935C
Fingerprint: 0240 1FEB 695D 7112 62F0  8796 11C1 12DA 47CF 935C
[functions.diff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Wed, 20 Mar 2013 15:45:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thierry <sage-debian-live-bugreport@lma.metelu.net>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Wed, 20 Mar 2013 15:45:07 GMT) Full text and rfc822 format available.

Message #54 received at 703146@bugs.debian.org (full text, mbox):

From: Thierry <sage-debian-live-bugreport@lma.metelu.net>
To: 703146@bugs.debian.org
Subject: Re: Bug#703146: apt: BADSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze)?
Date: Wed, 20 Mar 2013 16:50:13 +0100
Hi,

to be more precise abouti my previous message (#44), here is a log of
what happened while running

lb config --architectures i386 ; sudo lb build

http://paste.debian.net/243117/

Interesting lines are 791, 845, 863, 911, 915.

By the way, may this bug be related to #614029 ?
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614029

Ciao,
Thierry




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Wed, 20 Mar 2013 20:00:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian PERRIER <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Wed, 20 Mar 2013 20:00:07 GMT) Full text and rfc822 format available.

Message #59 received at 703146@bugs.debian.org (full text, mbox):

From: Christian PERRIER <bubulle@debian.org>
To: 703146@bugs.debian.org, debian-release@lists.debian.org
Subject: #703146 release critical?
Date: Wed, 20 Mar 2013 20:57:59 +0100
[Message part 1 (text/plain, inline)]
I just installed a new wheezy machine as my brand new "garage" build
server and got hit by  #703146. No way to create cowbuilder/pbuilder
chroots.


The patch in #703146 does indeed fix the issue.

Shouldn't this definitely go in wheezy?

-- 


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Wed, 20 Mar 2013 21:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian PERRIER <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Wed, 20 Mar 2013 21:03:04 GMT) Full text and rfc822 format available.

Message #64 received at 703146@bugs.debian.org (full text, mbox):

From: Christian PERRIER <bubulle@debian.org>
To: 703146@bugs.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#703146: #703146 release critical?
Date: Wed, 20 Mar 2013 21:59:33 +0100
[Message part 1 (text/plain, inline)]
Quoting Christian PERRIER (bubulle@debian.org):
> I just installed a new wheezy machine as my brand new "garage" build
> server and got hit by  #703146. No way to create cowbuilder/pbuilder
> chroots.
> 
> 
> The patch in #703146 does indeed fix the issue.
> 
> Shouldn't this definitely go in wheezy?

I have an upload ready that includes MIchael Vogt's patch and moves
gpg from Recommends to Depends.

Please object if I shouldn't upload.

This upload allows pbuilder to build a build chroot, so it seems fine,
but, not being a wizard with debootstrap and archive stuff, I'd
appreciate someone to confirm that fixing this is OK and fixing it the
way it has been proposed in #703146 is OK too.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Wed, 20 Mar 2013 21:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Wed, 20 Mar 2013 21:21:04 GMT) Full text and rfc822 format available.

Message #69 received at 703146@bugs.debian.org (full text, mbox):

From: Holger Levsen <holger@layer-acht.org>
To: debian-boot@lists.debian.org, Christian PERRIER <bubulle@debian.org>, 703146@bugs.debian.org
Cc: debian-release@lists.debian.org
Subject: Re: Bug#703146: #703146 release critical?
Date: Wed, 20 Mar 2013 17:16:45 -0400
Hi Christian,

On Mittwoch, 20. März 2013, Christian PERRIER wrote:
> I have an upload ready that includes MIchael Vogt's patch and moves
> gpg from Recommends to Depends.

does it include the -f option as needed for live-$something? (see this bugs 
log)

> Please object if I shouldn't upload.
> 
> This upload allows pbuilder to build a build chroot, so it seems fine,
> but, not being a wizard with debootstrap and archive stuff, I'd
> appreciate someone to confirm that fixing this is OK and fixing it the
> way it has been proposed in #703146 is OK too.

a debdiff to the version in wheezy would have been nice :)


cheers,
	Holger




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Thu, 21 Mar 2013 06:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian PERRIER <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Thu, 21 Mar 2013 06:09:04 GMT) Full text and rfc822 format available.

Message #74 received at 703146@bugs.debian.org (full text, mbox):

From: Christian PERRIER <bubulle@debian.org>
To: 703146@bugs.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#703146: #703146 release critical?
Date: Thu, 21 Mar 2013 07:05:47 +0100
[Message part 1 (text/plain, inline)]
Quoting Holger Levsen (holger@layer-acht.org):
> Hi Christian,
> 
> On Mittwoch, 20. März 2013, Christian PERRIER wrote:
> > I have an upload ready that includes MIchael Vogt's patch and moves
> > gpg from Recommends to Depends.
> 
> does it include the -f option as needed for live-$something? (see this bugs 
> log)

        if [ "$release_file_variant" = "IN" ]; then
                rm -f $reldest
                gpg --output "$reldest" --decrypt --keyring "$KEYRING" --ignore-time-conflict "$relsigdest"
        fi

> > Please object if I shouldn't upload.
> > 
> > This upload allows pbuilder to build a build chroot, so it seems fine,
> > but, not being a wizard with debootstrap and archive stuff, I'd
> > appreciate someone to confirm that fixing this is OK and fixing it the
> > way it has been proposed in #703146 is OK too.
> 
> a debdiff to the version in wheezy would have been nice :)


Will do that.



[signature.asc (application/pgp-signature, inline)]

Reply sent to Christian Perrier <bubulle@debian.org>:
You have taken responsibility. (Fri, 22 Mar 2013 06:21:04 GMT) Full text and rfc822 format available.

Notification sent to Steven Shiau <steven@nchc.org.tw>:
Bug acknowledged by developer. (Fri, 22 Mar 2013 06:21:04 GMT) Full text and rfc822 format available.

Message #79 received at 703146-close@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: 703146-close@bugs.debian.org
Subject: Bug#703146: fixed in debootstrap 1.0.47
Date: Fri, 22 Mar 2013 06:17:29 +0000
Source: debootstrap
Source-Version: 1.0.47

We believe that the bug you reported is fixed in the latest version of
debootstrap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 703146@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated debootstrap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 20 Mar 2013 21:34:29 +0100
Source: debootstrap
Binary: debootstrap debootstrap-udeb
Architecture: source all
Version: 1.0.47
Distribution: unstable
Urgency: low
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Christian Perrier <bubulle@debian.org>
Description: 
 debootstrap - Bootstrap a basic Debian system
 debootstrap-udeb - Bootstrap the Debian system (udeb)
Closes: 703146
Changes: 
 debootstrap (1.0.47) unstable; urgency=low
 .
   * Team upload
   * Properly decrypt the InRelease file when downloading from an archive
     where InRelease is used. This longstanding bug was masked by former
     APT behaviour and was revealed only with recent APT versions
     Closes: #703146
     Thanks to Michael Vogt for the analysis and patch
   * Add a dependency on gpg because of the above change.
Checksums-Sha1: 
 530a7eb37bb60d87d464e93ed43c6d9f969570f1 1779 debootstrap_1.0.47.dsc
 9a02c00dd4dbf3a5414d2dcfb26c3662a36e0c91 57858 debootstrap_1.0.47.tar.gz
 dfe02b5033f2f59d2ece6ce5c0594bc9f1c0a671 59718 debootstrap_1.0.47_all.deb
 2a839f47c2e671dc8fa7064470e9c242f4be060d 17990 debootstrap-udeb_1.0.47_all.udeb
Checksums-Sha256: 
 f6ead7cad66ccf8c0772adb3cd38f9911aa4d9c76619d8ed19618ea14d5d0f6e 1779 debootstrap_1.0.47.dsc
 5b7650dc32f427f7cd03c63aad147ac674099a5eb5bbad383940ff38ae9f4ec4 57858 debootstrap_1.0.47.tar.gz
 d1a8eeb650f4ba4b5b068f3ddb7b3a0108de837cd38f3f3c82b11403332b3775 59718 debootstrap_1.0.47_all.deb
 7e58146c460452bca1423b0d8e73e699e02128e28941426169c0398e81ff8b2a 17990 debootstrap-udeb_1.0.47_all.udeb
Files: 
 807c0420dc9f91324abab42b9e3c2854 1779 admin extra debootstrap_1.0.47.dsc
 c68080e49a4defd754eb1892d368fa5f 57858 admin extra debootstrap_1.0.47.tar.gz
 6212031bd17841065cb2a9fa325b3a23 59718 admin extra debootstrap_1.0.47_all.deb
 04e4e78f255ab53ec0bc08fab48e2488 17990 debian-installer extra debootstrap-udeb_1.0.47_all.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIVAwUBUUv1l4cvcCxNbiWoAQJaEQ//YIS8sbgygtXkcUIfMVb0c9+ZLiV0OIkO
NAanC58jF6xBbMhASd5hCwhWU11d7TuGFi9CrsW5rICTJ6pPWae8CMQgGnT91YyE
jkI+BhXS/kr/WC/Xb/oqCj9Z/i5TKEzFcEK5M8UmclpJLTCNUTnxd2g+208nmmmV
dJ1jbQeXuwLMwMSjSLUsoNmNRoUOIVyDP2OUW9JAGqCEHf1r0e0FwBU8IejGmHtW
DtAVNKkVRFaSS3WMImNIJPoPwLOY0qfnzaO2S1EjMOPj5evqAAEDxn4xduXC25wM
QEP0JNiyu7vAuQdYbjpvfz7kWNe2IfjrGlZL+3slf2ByNzIGIwKFHD3M1c7b46jl
yDdhmctrAEc2c0yHOdUbCFXe1YFJq+A4PZS56w4r4U3RwTsBfyaXJTtISDA57/p6
50DUNKEvpXgRoNKRWT3wGj8S+MGLVMGsl69uYoay+He8lv7Oaf306sRfXimFHrxC
ZHEuoKwUUadUedlrCcC4uE3ogDd1aBVXs3sLfbfdduMH0xmu3RKYFxmUEVnDncDX
8Oth7Al+8j7/O2x/I5G1NoaBNOFRyKzXSWRlQ/WrqznGqy/wBbxDus2dIGvAzJIa
8NhyFQ/SDffKdeVxwdQifWjOgSQIXyuIIywUZMTlL9YfnV1jr3/h9odqqJYkaYd9
uFnBkQ+OquM=
=6Te1
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Fri, 22 Mar 2013 07:54:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian PERRIER <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Fri, 22 Mar 2013 07:54:04 GMT) Full text and rfc822 format available.

Message #84 received at 703146@bugs.debian.org (full text, mbox):

From: Christian PERRIER <bubulle@debian.org>
To: 703146@bugs.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#703146: #703146 release critical?
Date: Fri, 22 Mar 2013 07:21:40 +0100
[Message part 1 (text/plain, inline)]
Quoting Christian PERRIER (bubulle@debian.org):

> > > This upload allows pbuilder to build a build chroot, so it seems fine,
> > > but, not being a wizard with debootstrap and archive stuff, I'd
> > > appreciate someone to confirm that fixing this is OK and fixing it the
> > > way it has been proposed in #703146 is OK too.
> > 
> > a debdiff to the version in wheezy would have been nice :)
> 
> 
> Will do that.
> 
> 
> 

debootstrap 1.0.47 has been uploaded with the attached debdiff


-- 


[debootstrap-1.0.47-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Mon, 25 Mar 2013 14:03:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Mon, 25 Mar 2013 14:03:07 GMT) Full text and rfc822 format available.

Message #89 received at 703146@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: Christian PERRIER <bubulle@debian.org>, 703146@bugs.debian.org
Subject: Re: Bug#703146: #703146 release critical?
Date: Mon, 25 Mar 2013 14:00:48 +0000
On 22/03/13 06:21, Christian PERRIER wrote:
> -		mv "$relsigdest" "$reldest"
> +		rm -f $reldest

Is it safe to remove the quotes from there, i.e. are we certain $reldest
will never contain spaces?

If there is going to be a t-p-u upload with targetted fix for wheezy I
suggest taking the opportunity to put the quotes back in place.

Thanks,
Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Mon, 25 Mar 2013 15:15:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Mon, 25 Mar 2013 15:15:08 GMT) Full text and rfc822 format available.

Message #94 received at 703146@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Christian PERRIER <bubulle@debian.org>
Cc: 703146@bugs.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#703146: #703146 release critical?
Date: Mon, 25 Mar 2013 16:13:53 +0100
[Message part 1 (text/plain, inline)]
On Fri, Mar 22, 2013 at 07:21:40 +0100, Christian PERRIER wrote:

> debootstrap 1.0.47 has been uploaded with the attached debdiff
> 
That appears to break d-i, so I've pushed some changes on top.  Will
need to test them, but I'm not sure I'll get a chance to do that today.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Tue, 26 Mar 2013 09:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Beckmann <anbe@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Tue, 26 Mar 2013 09:03:04 GMT) Full text and rfc822 format available.

Message #99 received at 703146@bugs.debian.org (full text, mbox):

From: Andreas Beckmann <anbe@debian.org>
To: 703146@bugs.debian.org
Subject: Re: Bug#703146: apt: BADSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze)?
Date: Tue, 26 Mar 2013 10:01:13 +0100
Control: found -1 1.0.44
Control: severity serious

I hit this bug yesterday ... and think that this should be RC if
debootstrap/wheezy cannot produce a working chroot environment.


Andreas



Marked as found in versions debootstrap/1.0.44. Request was from Andreas Beckmann <anbe@debian.org> to 703146-submit@bugs.debian.org. (Tue, 26 Mar 2013 09:03:04 GMT) Full text and rfc822 format available.

Severity set to 'serious' from 'important' Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Tue, 26 Mar 2013 09:15:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Tue, 26 Mar 2013 17:33:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Benjamin Cama <benjamin.cama@telecom-bretagne.eu>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Tue, 26 Mar 2013 17:33:09 GMT) Full text and rfc822 format available.

Message #108 received at 703146@bugs.debian.org (full text, mbox):

From: Benjamin Cama <benjamin.cama@telecom-bretagne.eu>
To: 703146@bugs.debian.org, Christian PERRIER <bubulle@debian.org>, Michael Vogt <mvo@debian.org>
Subject: Better debootstrap InRelease handling fix
Date: Tue, 26 Mar 2013 18:19:51 +0100
[Message part 1 (text/plain, inline)]
Hi,

Pulling gnupg just to extract the cleartext of a PGP signed message
seems a bit too much for me. I stumbled upon this while in
debian-installer, which didn't depend on gnupg, only pgpv, until now.
This looks really overkill. Please find attached a better fix, to me,
only using sed (and compatible with the minimal busybox sed found in
d-i). It should extract anything according to RFC 4880 cleartext signed
message format, according to my reading of it.

I don't reopen this bug as I don't know what is the policy about it
currently, but really consider my solution, please.

Regards,
-- 
Benjamin Cama <benjamin.cama@telecom-bretagne.eu>
[0001-Remove-dependency-on-gnupg-extract-Release-with-sed.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Tue, 26 Mar 2013 18:12:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian PERRIER <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Tue, 26 Mar 2013 18:12:04 GMT) Full text and rfc822 format available.

Message #113 received at 703146@bugs.debian.org (full text, mbox):

From: Christian PERRIER <bubulle@debian.org>
To: Benjamin Cama <benjamin.cama@telecom-bretagne.eu>
Cc: 703146@bugs.debian.org, Michael Vogt <mvo@debian.org>
Subject: Re: Better debootstrap InRelease handling fix
Date: Tue, 26 Mar 2013 18:57:01 +0100
[Message part 1 (text/plain, inline)]
Quoting Benjamin Cama (benjamin.cama@telecom-bretagne.eu):
> Hi,
> 
> Pulling gnupg just to extract the cleartext of a PGP signed message
> seems a bit too much for me. I stumbled upon this while in
> debian-installer, which didn't depend on gnupg, only pgpv, until now.
> This looks really overkill. Please find attached a better fix, to me,
> only using sed (and compatible with the minimal busybox sed found in
> d-i). It should extract anything according to RFC 4880 cleartext signed
> message format, according to my reading of it.
> 
> I don't reopen this bug as I don't know what is the policy about it
> currently, but really consider my solution, please.

Thanks for your input.

Julien Cristau recently committed another fix, that drops the supprot
of InRelease files, in d-i, with the same reslt of turning gpg  back
into a Recommends.

We now need to get this into wheezy, indeed.


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Tue, 26 Mar 2013 23:57:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Bernhard R. Link" <brlink@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Tue, 26 Mar 2013 23:57:06 GMT) Full text and rfc822 format available.

Message #118 received at 703146@bugs.debian.org (full text, mbox):

From: "Bernhard R. Link" <brlink@debian.org>
To: Benjamin Cama <benjamin.cama@telecom-bretagne.eu>, 703146@bugs.debian.org
Subject: Re: Bug#703146: Better debootstrap InRelease handling fix
Date: Wed, 27 Mar 2013 00:53:44 +0100
* Benjamin Cama <benjamin.cama@telecom-bretagne.eu> [130326 18:33]:
> index 1dc0f87..3333f44 100644
> --- a/functions
> +++ b/functions
> @@ -530,8 +530,13 @@ download_release_sig () {
>  		warning KEYRING "Cannot check Release signature; keyring file not available %s" "$KEYRING_WANTED"
>  	fi
>  	if [ "$release_file_variant" = "IN" ]; then
> -		rm -f $reldest
> -                gpg --output "$reldest" --decrypt --keyring "$KEYRING" --ignore-time-conflict "$relsigdest"
> +		sed -n '/^-----BEGIN PGP SIGNED MESSAGE-----$/ { \
> +				n \
> +				: check_hash /^Hash:/ { n b check_hash } \
> +				n # blank line \
> +			} \
> +			/^-----BEGIN PGP SIGNATURE-----$/ q \
> +			p' < "$relsigdest" > "$reldest"
>  	fi
>  }

Sorry, but this is not enough to properly extract the contents of a
inline signed message. You still need to do possible unescaping between
those lines.

        Bernhard R. Link



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Wed, 27 Mar 2013 09:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Wed, 27 Mar 2013 09:33:04 GMT) Full text and rfc822 format available.

Message #123 received at 703146@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: "Bernhard R. Link" <brlink@debian.org>, 703146@bugs.debian.org
Subject: Re: Bug#703146: Better debootstrap InRelease handling fix
Date: Wed, 27 Mar 2013 10:29:48 +0100
On Wed, Mar 27, 2013 at 12:53:44AM +0100, Bernhard R. Link wrote:
> Sorry, but this is not enough to properly extract the contents of a
> inline signed message. You still need to do possible unescaping between
> those lines.

Is the unescaping part necessary for InRelease files? What are the rules
for this?

Bastian

-- 
Another Armenia, Belgium ... the weak innocents who always seem to be
located on a natural invasion route.
		-- Kirk, "Errand of Mercy", stardate 3198.4



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Wed, 27 Mar 2013 12:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Benjamin Cama <benjamin.cama@telecom-bretagne.eu>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Wed, 27 Mar 2013 12:03:04 GMT) Full text and rfc822 format available.

Message #128 received at 703146@bugs.debian.org (full text, mbox):

From: Benjamin Cama <benjamin.cama@telecom-bretagne.eu>
To: "Bernhard R. Link" <brlink@debian.org>
Cc: 703146@bugs.debian.org
Subject: Re: Bug#703146: Better debootstrap InRelease handling fix
Date: Wed, 27 Mar 2013 12:59:15 +0100
[Message part 1 (text/plain, inline)]
Hi,

Le mercredi 27 mars 2013 à 00:53 +0100, Bernhard R. Link a écrit :
> * Benjamin Cama <benjamin.cama@telecom-bretagne.eu> [130326 18:33]:
> > index 1dc0f87..3333f44 100644
> > --- a/functions
> > +++ b/functions
> > @@ -530,8 +530,13 @@ download_release_sig () {
> >  		warning KEYRING "Cannot check Release signature; keyring file not available %s" "$KEYRING_WANTED"
> >  	fi
> >  	if [ "$release_file_variant" = "IN" ]; then
> > -		rm -f $reldest
> > -                gpg --output "$reldest" --decrypt --keyring "$KEYRING" --ignore-time-conflict "$relsigdest"
> > +		sed -n '/^-----BEGIN PGP SIGNED MESSAGE-----$/ { \
> > +				n \
> > +				: check_hash /^Hash:/ { n b check_hash } \
> > +				n # blank line \
> > +			} \
> > +			/^-----BEGIN PGP SIGNATURE-----$/ q \
> > +			p' < "$relsigdest" > "$reldest"
> >  	fi
> >  }
> 
> Sorry, but this is not enough to properly extract the contents of a
> inline signed message. You still need to do possible unescaping between
> those lines.

You are right. Furthermore, my version didn't work with GNU sed;
attached version fix both problems (and is based on latest master, after
Julien disabled InRelease support). Please not that it will still print
what's _before_ the BEGIN header, if present (there shouldn't be
anything, but if you really want to be picky…)

Regards,
-- 
Benjamin Cama <benjamin.cama@telecom-bretagne.eu>
[0001-Get-back-InRelease-support.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Wed, 27 Mar 2013 12:36:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Wed, 27 Mar 2013 12:36:04 GMT) Full text and rfc822 format available.

Message #133 received at 703146@bugs.debian.org (full text, mbox):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>
To: Benjamin Cama <benjamin.cama@telecom-bretagne.eu>
Cc: 703146@bugs.debian.org
Subject: Re: Bug#703146: Better debootstrap InRelease handling fix
Date: Wed, 27 Mar 2013 13:32:05 +0100
Le mercredi, 27 mars 2013 12.59:15, Benjamin Cama a écrit :
> attached version fix both problems (and is based on latest master, after
> Julien disabled InRelease support). Please not that it will still print
> what's _before_ the BEGIN header, if present (there shouldn't be
> anything, but if you really want to be picky…)

Well, yes, we want to be picky: the whole point of checking the signature is 
to avoid letting unsigned content be considered valid by debootstrap / apt / 
etc. See CVE-2013-1051.

That said, I think I would prefer a gpgv patch to only output verified content 
than such sed hackery (although nice).

Cheers,

OdyX



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Wed, 27 Mar 2013 14:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Benjamin Cama <benjamin.cama@telecom-bretagne.eu>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Wed, 27 Mar 2013 14:03:04 GMT) Full text and rfc822 format available.

Message #138 received at 703146@bugs.debian.org (full text, mbox):

From: Benjamin Cama <benjamin.cama@telecom-bretagne.eu>
To: Didier 'OdyX' Raboud <odyx@debian.org>
Cc: 703146@bugs.debian.org
Subject: Re: Bug#703146: Better debootstrap InRelease handling fix
Date: Wed, 27 Mar 2013 14:59:01 +0100
Le mercredi 27 mars 2013 à 13:32 +0100, Didier 'OdyX' Raboud a écrit :
> Le mercredi, 27 mars 2013 12.59:15, Benjamin Cama a écrit :
> > attached version fix both problems (and is based on latest master, after
> > Julien disabled InRelease support). Please not that it will still print
> > what's _before_ the BEGIN header, if present (there shouldn't be
> > anything, but if you really want to be picky…)
> 
> Well, yes, we want to be picky: the whole point of checking the signature is 
> to avoid letting unsigned content be considered valid by debootstrap / apt / 
> etc. See CVE-2013-1051.

OK, I understand. With my patch, someone could sneak in an unsigned
Release before the signed one, right? I don't know if apt would parse
it, but it's a problem.

> That said, I think I would prefer a gpgv patch to only output verified content 
> than such sed hackery (although nice).

Yes, this would be a far better solution. But a quick look at gnupg
doesn't make that look easy.

I'll give up on this solution for now, and let InRelease files
unhandled.

Thanks for the comments,
-- 
Benjamin Cama <benjamin.cama@telecom-bretagne.eu>




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Wed, 27 Mar 2013 18:03:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Bernhard R. Link" <brlink@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Wed, 27 Mar 2013 18:03:07 GMT) Full text and rfc822 format available.

Message #143 received at 703146@bugs.debian.org (full text, mbox):

From: "Bernhard R. Link" <brlink@debian.org>
To: 703146@bugs.debian.org
Subject: Re: Bug#703146: Better debootstrap InRelease handling fix
Date: Wed, 27 Mar 2013 19:02:07 +0100
* Bastian Blank <waldi@debian.org> [130327 10:29]:
> On Wed, Mar 27, 2013 at 12:53:44AM +0100, Bernhard R. Link wrote:
> > Sorry, but this is not enough to properly extract the contents of a
> > inline signed message. You still need to do possible unescaping between
> > those lines.
>
> Is the unescaping part necessary for InRelease files? What are the rules
> for this?

That depends. If you only process InRelease files created by Debian (or
for that matter likely most other legitimate producers of InRelease
files), then you don't need any unescaping.
If you do process a InRelease file that you only verified to be from
Debian by checking that it is properly signed and you want to have the
content that was actually signed, then you need to unescape the whole
mail and not only strip some parts from the start and the end of the
file.
I do not know if the possible transformations you can do to an inline
signed message without invalidating the signature can have any dangerous
effects on the later use of this data here, but I'd suggest to rather
get it properly extracted instead of hoping one did not overlook any
attack vector.

        Bernhard R. Link







Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Thu, 28 Mar 2013 09:09:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Thu, 28 Mar 2013 09:09:07 GMT) Full text and rfc822 format available.

Message #148 received at 703146@bugs.debian.org (full text, mbox):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>
To: 703889@bugs.debian.org, 703146@bugs.debian.org
Cc: Julien Cristau <jcristau@debian.org>
Subject: debootstrap patch disabling InRelease handling
Date: Thu, 28 Mar 2013 10:04:32 +0100
Hi Julien,

FYI, I have tested the patch disabling InRelease handling as pushed to 
debootstrap's git in two situations:

* standard package; debootstrap a wheezy chroot: OK
* d-i environment (built mini.iso, installed debootstrap-udeb in it): OK

Cheers,

OdyX



Merged 703146 704190 Request was from Michael Gilbert <mgilbert@debian.org> to control@bugs.debian.org. (Sat, 30 Mar 2013 04:33:09 GMT) Full text and rfc822 format available.

Added indication that 703146 affects ltsp-server Request was from Vagrant Cascadian <vagrant@debian.org> to control@bugs.debian.org. (Sat, 30 Mar 2013 22:27:08 GMT) Full text and rfc822 format available.

Added tag(s) confirmed. Request was from Vagrant Cascadian <vagrant@debian.org> to 704190-submit@bugs.debian.org. (Sun, 31 Mar 2013 14:57:05 GMT) Full text and rfc822 format available.

Added indication that 703146 affects pbuilder Request was from paul cannon <pik@debian.org> to control@bugs.debian.org. (Mon, 01 Apr 2013 05:39:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Tue, 02 Apr 2013 12:36:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Axel Beckert <abe@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Tue, 02 Apr 2013 12:36:04 GMT) Full text and rfc822 format available.

Message #161 received at 703146@bugs.debian.org (full text, mbox):

From: Axel Beckert <abe@debian.org>
To: 704263@bugs.debian.org
Cc: Adam Baxter <voltagex@voltagex.org>, 703146@bugs.debian.org
Subject: Re: Bug#704263: installation-reports: busybox fails to verify on current wheezy/sid installer
Date: Tue, 2 Apr 2013 14:34:09 +0200
Hi,

Adam Baxter wrote:
> Subject: […] busybox fails to verify on current wheezy/sid installer

Same here. But not only busybox, but also dmsetup, libdevmapper1.02.1,
etc.

As this was prefixed with "in-target" I checked how the issue is
presented from inside the chroot:

apt-get install busybox really complains about an unauthenticated
package.

apt-get update doesn't solve the issue but reveals the source for the
issue: 

W: GPG errror: http://debian.ethz.ch wheezy Release: The following
signatures were invalid: BADSIG AED4B06F473041FA Debian Archive
Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>

According to
https://lists.debian.org/debian-mirrors/2013/03/msg00005.html this
looks a lot like http://bugs.debian.org/703146 (Cc'ed), too, which is
worked on.

Interestingly the issue could be solved by running the following
commands inside the chroot while D-I asks me which kernel to install:

# cd /var/lib/apt/lists
# rm ftp.*.debian.org*
# apt-get update
# apt-get install busybox
(No BADSIG here, installs fine.)

(If I do this before that question, debootstrap seems to overwrite the
previous installation and hence the manually installed busybox.)

So the funny thing is that all packages were accepted despite the
BADSIG issue, except busybox. Sounds as if there's more broken than
just #703146.

It also seems to have forgotten some settings after aborting at the
busybox install failure. E.g. preseeding stuff (otherwise I would have
expected that it doesn't ask me for the kernel to choose at some
point) as well the fact that it should have had installed lvm2 into
the target (as I manually partitioned a VG in the installer), i.e. it
didn't find any root file system at the first reboot and I had to boot
via PXE for rescue mode to install lvm2, too.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-    |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#703146; Package debootstrap. (Sat, 06 Apr 2013 14:21:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Cyril Brulebois <kibi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Sat, 06 Apr 2013 14:21:07 GMT) Full text and rfc822 format available.

Message #166 received at 703146@bugs.debian.org (full text, mbox):

From: Cyril Brulebois <kibi@debian.org>
To: Benjamin Cama <benjamin.cama@telecom-bretagne.eu>, 703146@bugs.debian.org
Subject: Re: Bug#703146: Better debootstrap InRelease handling fix
Date: Sat, 6 Apr 2013 16:20:22 +0200
[Message part 1 (text/plain, inline)]
Hello Benjamin,

Benjamin Cama <benjamin.cama@telecom-bretagne.eu> (27/03/2013):
> Yes, this would be a far better solution. But a quick look at gnupg
> doesn't make that look easy.
> 
> I'll give up on this solution for now, and let InRelease files
> unhandled.

thanks for your efforts anyway.

Mraw,
KiBi.
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 May 2013 07:45:36 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 06:26:38 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.