| Commit message (Expand) | Author | Age |
|---|
| * | Revert "test failure."•••This reverts commit eac13303c66da4e22447c1132b214593a3865130.
| Junichi Uekawa | 2012-03-31 |
| * | test failure. | Junichi Uekawa | 2012-03-31 |
| * | Show current time in create / update operations too. (closes: #613854)•••It's probably useful to see them in the logs.
| Junichi Uekawa | 2012-03-28 |
| * | factor out common code for apt key rings. | Junichi Uekawa | 2012-03-13 |
| * | make longer lines wrap so reading patch files aren't as painful. | Junichi Uekawa | 2012-03-09 |
| * | Bug#579028: pbuilder: installs untrusted packages without asking•••Package: pbuilder
Version: 0.206
Tags: patch
Followup-For: Bug #579028
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The attached patch changes the defaults to always enforce signed
repositories and aborts if an untrusted/manipulated package is
installed. It adds the new option --keyring (APTKEYRINGS) to add
additional keyrings, which are then used to verify the (local)
signed repositories. This way no untrusted packages can be
installed.
To still allow untrusted/unsigned repositories - they are a very
bad idea and allow remote attackers performing a MITM to take
over the system, including all built packages - the new option
- --allow-untrusted (ALLOWUNTRUSTED) was added.
I tested it with the official Debian repository, signed and
unsigned local repositories and it works fine for me. But I'm
only a "normal" pbuilder user, so I might have missed something.
Please test the patch.
I haven't tested it with cdebootstrap, but it should work as
well.
The old PBUILDERSATISFYDEPENDSOPT --check-key option was
deprecated and is no longer used (it emits a warning now) as
validation is the default now.
The patch also contains documentation updates for the new
options/variables and updates for the NEWS file describing the
necessary changes to continue using untrusted packages (but
please don't do that - especially as a Debian developer).
Please have a look and include the patch as soon as possible to
fix this security issue.
Regards,
Simon
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages pbuilder depends on:
ii cdebootstrap 0.5.8+b1
ii coreutils 8.13-3
ii debconf [debconf-2.0] 1.5.41
ii debianutils 4.2.1
ii debootstrap 1.0.38
ii dpkg-dev 1.16.1.2
ii wget 1.13.4-2
Versions of packages pbuilder recommends:
pn devscripts 2.11.4
pn fakeroot 1.18.2-1
pn sudo <none>
Versions of packages pbuilder suggests:
pn cowdancer <none>
pn gdebi-core <none>
pn pbuilder-uml <none>
- -- debconf information excluded
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPVWhvAAoJEJL+/bfkTDL5ivAP/iayE8NRQnyk2HW8R+NiRXU3
uavLilwwpmEZyuciu8GxMQIAhT9HYd/DlkhF9I+yBSd30TO3fl0xW7YV9SaIZ+bv
IPwnZbHri4KfeV9Zob/gd2jrT9A2QCoFRW0ny4XNCK3NvtWH5KuH+TG2Mq5CQqdN
j4VJ3+76oJcbQbU7AUYXfvKDAsEb7gX+VwTEFLS4GrPkni/FIQJ8HHJhlTscyuCD
gQANCoRFZHVSMaas3xqi9KYFKgVS4BZ5Z/9FZuLeY5kWBfcbnIhQloVOWTQZIMRI
PhnqP1g62XlPu71K3a/Y2RMAcy3Gs6sUbW4OianIr2iskCndejih/MCb+3LmBFCg
Ekxi/CcJGrc7a0pV57Qs8Iwkm1siRZZUxcp4xdD3mo9iayoOt4sfFyrvBCYryilQ
7JKpQc3iNoV3EQql6KBu5G+GmFFWHmokpLvVY27n8LgkV2YSb2wrgxqXPfxcYHj7
0j/y2MFw+HOX/d5YSESMLxn9aiZBi7CkMtlMemzqizxlNlL/+OOZiDsi4vdH8L/j
Y0c2i9efjNeooc0/B9wASu/Ck8SWV8wW1EcfTag0p9Rp0avy4hoQUmG+MtgQsV0l
MQuWWysyxeJFX4Z8ooau82L6sIGC0L073JH6Y/C7uTOz9gKt+e5tV3fnU+pkWpqH
oF3CcmlykKX4SYzhUI/e
=6EPj
-----END PGP SIGNATURE-----
>From cadc48fb599d436577a6efedc7f25e175652a3a1 Mon Sep 17 00:00:00 2001
Message-Id: <cadc48fb599d436577a6efedc7f25e175652a3a1.1330997290.git.simon@ruderich.org>
From: Simon Ruderich <simon@ruderich.org>
Date: Tue, 6 Mar 2012 02:00:48 +0100
Subject: [PATCH] Enforce valid signed repositories by default.
| Simon Ruderich | 2012-03-09 |
| * | Add an option to verify key signatures. (closes: #579028)•••By unsetting APTGETOPT, and setting
PBUILDERSATISFYDEPENDSOPT=('--check-key'), the user now has an option
of verifying the key signature of each package against the installed
keyring.
| Junichi Uekawa | 2010-07-05 |
| * | Add builtin ccache support, enabled by default•••Add builtin support for using ccache in pbuilder and enable it by
default. Ship a new /var/cache/pbuilder/ccache dir and bind-mount and
chown it to BUILDUSERID at build time. Install/remove ccache
automatically on create/update if CCACHEDIR is set/unset. Update docs
and remove old ccache config example. Add a NEWS entry featuring the
change.
| Loïc Minier | 2010-01-02 |
| * | Remove aptitude with apt-get install aptitude-•••Remove aptitude with apt-get install aptitude- and note that we should
use apt-get to remove REMOVEPACKAGES in the future.
| Loïc Minier | 2010-01-02 |
| * | Only remove/install aptitude on create/update•••Only install aptitude in pbuilder-createbuildenv or
pbuilder-updatebuildenv, not in pbuilder-satisfydepends-aptitude, and
only when $PBUILDERSATISFYDEPENDSCMD uses aptitude. Remove aptitude in
pbuilder-createbuildenv and pbuilder-updatebuildenv otherwise;
closes: #539578.
| Loïc Minier | 2010-01-02 |
| * | Also drop apt from pbuilder-updatebuildenv | Loïc Minier | 2010-01-02 |
| * | pass apt-get '-q' option to remove the progress.•••It's probably not too useful when used non-interactively, and clutters output.
| Junichi Uekawa | 2009-08-15 |
| * | install aptitude via EXTRAPACKAGES, and not hard-code. (closes: #539578) | Junichi Uekawa | 2009-08-08 |
| * | Do not error out on etch apt for apt-get autoremove (closes: #531454)•••Just ignore the error for now.
'|| true' should be removed after etch is no longer supported.
There are other solutions like checking for versions, but I don't like
the complexity required just to support an old version.
| Junichi Uekawa | 2009-06-19 |
| * | Drop useless -o APT::Get::AutomaticRemove=true•••Drop useless -o "APT::Get::AutomaticRemove=true" from dist-upgrade.
| Loïc Minier | 2009-05-10 |
| * | Call apt-get autoremove on upgrades; #322649•••Call "apt-get autoremove" explicitely on upgrades as
APT::GET::AutomaticRemove=true doesn't work with "apt-get dist-upgrade";
closes: ##322649.
| Loïc Minier | 2009-05-10 |
| * | refactor to use 'log' function rather than using 'echo' directly.•••First cut into doing this, hopefully we're not breaking anything.
| Junichi Uekawa | 2009-02-26 |
| * | Set APT::Get::AutomaticRemove=true in upgrade instead of calling autoremove•••Instead of running "apt-get autoremove", run apt-get dist-upgrade with -o
APT::Get::AutomaticRemove=true; this avoids solutions based on checking for
the version of APT or outputting an error on older APT, or masking all
errors. Also, autoremove happens after the upgrade instead of before.
| Loïc Minier | 2008-01-12 |
| * | Do not show "Upgrading for distribution xyz" message on update when --overrid...•••when no --override-config option is given, options like --distribution,
.... (or their .pbuilderrc counterparts DISTRIBUTION, ...) are not taken
into account for setting up the chroot, they also shouldn't be used for
outputting diagnostics.
Thanks to Andreas Beckmann <debian@abeckmann.de>
| Junichi Uekawa | 2008-01-11 |
| * | * Run apt-get autoremove after upgrade. | Loïc Minier | 2007-12-18 |
| * | * rename pbuilder-satisfydepends to pbuilder-satisfydepends-classic, and••• install pbuilder-satisfydepends-aptitude as the deafault
pbuilder-satisfydepends
* install aptitude per default in chroot.
| Junichi Uekawa | 2007-08-28 |
| * | fix always ending with "Aborting with error" | Junichi Uekawa | 2007-05-27 |
| * | fix thinko: trap exit -> trap - exit | Junichi Uekawa | 2007-05-27 |
| * | change "trap" handling so that all trap function calls are called _trap, and ... | Junichi Uekawa | 2007-05-27 |
| * | trap sighup as well as exit: create/update | Junichi Uekawa | 2007-05-27 |
| * | trap SIGHUP as well as EXIT. | Junichi Uekawa | 2007-05-27 |
| * | copyright year 2007, and changelog about it, and changelog warning/error to >&2 | Junichi Uekawa | 2007-03-27 |
| * | update copyright info. | dancer | 2006-05-30 |
| * | * fix pdebuild --help output (closes: #367133)••• * pbuilderrc.5: undocument the restriction that --buildresult
option needs to be specified for pdebuild, and BUILDRESULT cannot
be used.
I should probably warn that the directory should be absolute.
* pdebuild.1: fix man a bit to make --buildresult option doc
unambiguous.
| dancer | 2006-05-14 |
| * | preliminary support for bind-mounted apt cache directory. | dancer | 2006-02-12 |
| * | Revert to using --force-yes, since --allow-unauthenticated doesn't work with ...••• * Bug fix: "/usr/share/doc/pbuilder/examples/B90linda missing
--force-yes option", thanks to qfunk (Closes: #340715).
Note: --allow-unauthenticated is probably a better option here, but
apt-get in sarge does not support it, we will revisit it after etch.
| dancer | 2005-12-04 |
| * | * Bug fix: "/usr/share/doc/pbuilder/examples/B90linda missing••• --allow-unauthenticated option", thanks to qfunk (Closes: #340715).
- fixed other scripts to use --allow-unauthenticated option rather than --force-yes.
* debconf compatibility level 4
| dancer | 2005-12-04 |
| * | update documentation and manual pages••• * suppress warnings from find; it wants -maxdepth before any other
argument. (closes: #330848)
* Documentation update patch from Osamu Aoki to clarify about
configuration file priorities and issues associated with it.
(closes: #325318)
| dancer | 2005-09-30 |
| * | testsuite is ran again. | dancer | 2005-06-04 |
| * | autoclean option. | dancer | 2005-06-03 |
| * | + * pbuilder.8: document --autocleanaptcache•••+
+ * pbuilder-updatebuildenv:
+ * pbuilder-checkparams (AUTOCLEANAPTCACHE): support auto-clean of aptcache
+ (IGNORE_UMOUNT): add --autocleanaptcache
+
| dancer | 2005-06-03 |
| * | change to use experimental,•••and apply patch; and apply my own patch.
| dancer | 2005-06-03 |
| * | + * pbuilder-updatebuildenv: Patch from matt kraai to save•••+ apt cache when pbuilder update fails.
+ 252777, 252793
+
| dancer | 2004-06-17 |
| * | + * debian/control (Description): do not conflict with older bash.•••+
+ * pbuilder-buildpackage-funcs:
+ * pbuilder-checkparams: do not error out on
+ failure to unset.
+
+ * pbuilder.8: document --debug.
+
+ * pbuilder-checkparams (IGNORE_UMOUNT): --debug option.
+
+ * pbuilder-createbuildenv:
+ * pbuilder-updatebuildenv: use PBUILDER_DEBUGMODE variable
+
| dancer | 2003-12-16 |
| * | + * pbuilder-createbuildenv (DEBOOTSTRAPSCRIPT): use $TRAP instead of trap,•••+ and set TRAP to trap only when PRESERVE_BUILDPLACE is not yes.
+
+ * Makefile (install): install new examples.
+ * atoron.procmailrc (DUMMY): add daisuke to family.
| dancer | 2003-12-16 |
| * | +2003-09-04 Junichi Uekawa <dancer@debian.org>•••+
+ * pbuilder-modules: fix typo in file existence checking.
+
+ * debian/TODO: how about passing "-o dpkg::Options=--force-confnew" to apt? is now done.
+ Request from Roland Stigge <ernie@atari.antcom.de>
+ to finally implement the missing feature.
+
+ * pbuilder-checkparams: set FORCE_CONFNEW array variable if
+ DEBIAN_FRONTEND is noninteractive to allow non-interactive install.
+
+ * pbuilder-updatebuildenv: use FORCE_CONFNEW variable to
+ give force-confnew option to DPKG
+
| dancer | 2003-09-03 |
| * | update copyright date | dancer | 2003-04-19 |
| * | + * pbuilder.8,pbuilder-createbuildenv,pbuilder-updatebuildenv: change hook n...•••+
| dancer | 2003-03-10 |
| * | + * debian/rules: add check target for build.•••+
+ * Makefile (check): add check target to makefile, to see if there is
+ any syntax error.
+
+ * pbuilder-updatebuildenv: support --preserve-buildplace
+ apply things from
+ Daniel Schepler <schepler@math.berkeley.edu>
+
+ * pbuilder-satisfydepends: support --preserve-buildplace
+ support Format: field.
+
+ * pbuilder-modules (pbuilder-options): support --preserve-buildplace
+
+ * pbuilder-buildpackage (PACKAGENAME): support --preserve-buildplace
+
+ * pbuilder-buildpackage-funcs: support --preserve-buildplace
+
+ * pbuilder-createbuildenv (DEBOOTSTRAPSCRIPT): support --preserve-buildplace
+
+ * pbuilder-checkparams (PRESERVE_BUILDPLACE): add PRESERVE_BUILDPLACE
+
+ * pbuilder.8: update docs to add --preserve-buildplace
+
| dancer | 2003-03-10 |
| * | +•••+ * pbuilder-modules (create_basetgz): new function
+ add file locking
+ (extractbuildplace) add file locking.
+
+ * pbuilder-updatebuildenv: use create_basetgz
+
+ * pbuilder-createbuildenv (DEBOOTSTRAPSCRIPT): make error handling more
+ fine-grained, and add more handling for error cases.
+ (create_basetgz): move function over to -modules.
+ and use it.
+
| dancer | 2002-10-11 |
| * | + * pbuilder-user-mode-linux: add trapping and cleaning up routine.•••+
+ * pbuilder-modules: modify things shuffling around until it works...
+
+ * pbuilder-user-mode-linux (BUILDING_DSC_FILE): add call to pbuilder update.
+
+ * pbuilder-updatebuildenv: check for INTERNAL_BUILD_UML and ignore the
+ basetgz creation in UML.
+
+ * pbuilder-modules: remove invocation of hostname from uml.
+
+ * debian/control (Depends): require 1.31.1 or greater of debianutils for readlink
+
+ * Makefile (install): add pbuilder-user-mode-linux to install target
+
+ * debian/control (Depends): add depends on debianutils, for readlink
+
| dancer | 2002-09-16 |
| * | + * pbuilder-checkparams (CHROOTEXEC): add --internal-chrootexec option to se...•••+
+ * pbuilder-createbuildenv: remove def for CHROOTEXEC
+ * pbuilder-updatebuildenv: ditto
+
+ * pbuilder-checkparams (CHROOTEXEC): CHROOTEXEC is set in checkparams, instead of -buildpackage etc.
| dancer | 2002-09-13 |
| * | 20020713:vivare: | dancer | 2002-07-12 |
| * | added hooks support for pbuilder build target. | dancer | 2002-02-24 |
| * | changes | dancer | 2002-02-14 |