* Bastian Blank <wa...@debian.org> [130327 10:29]:
> On Wed, Mar 27, 2013 at 12:53:44AM +0100, Bernhard R. Link wrote:
> > Sorry, but this is not enough to properly extract the contents of a
> > inline signed message. You still need to do possible unescaping between
> > those lines.
>
> Is the unescaping part necessary for InRelease files? What are the rules
> for this?
That depends. If you only process InRelease files created by Debian (or
for that matter likely most other legitimate producers of InRelease
files), then you don't need any unescaping.
If you do process a InRelease file that you only verified to be from
Debian by checking that it is properly signed and you want to have the
content that was actually signed, then you need to unescape the whole
mail and not only strip some parts from the start and the end of the
file.
I do not know if the possible transformations you can do to an inline
signed message without invalidating the signature can have any dangerous
effects on the later use of this data here, but I'd suggest to rather
get it properly extracted instead of hoping one did not overlook any
attack vector.
Bernhard R. Link
--
To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130327180207.ga3...@client.brlink.eu
