On Thu, Mar 3, 2016 at 21:12:06 -0500, Mathieu Trudel-Lapierre wrote: > Hi, > > Looking into a bug in Ubuntu relating to an out of sync proxy, InRelease > file support in debootstrap came up. > > I found out that debootstrap had already had such support in the past > (specifically, in 1.0.47 and earlier) and that was removed by Julien > Cristau because it also pulled in a fuller gpg, which comes with its own > set of potential issues. > > Seems like we could well put it back in and just replace the bit that > extracts the signed data in InRelease (same as is in Release) with using > sed and grep to remove the signature text. > > I did the work and pushed it to git at > http://anonscm.debian.org/cgit/d-i/debootstrap.git/log/?h=people/cyphermox/inrelease. > As before, this would default to using the InRelease file from the > archive first, if available, and otherwise fallback to using the usual > Release + Release.gpg. > > Is there any interest for supporting this again? I would like some > feedback on the code branch, then I'd be happy to merge it to master > (but I would still need someone to sponsor the upload). > Hi Mathieu,
I had a look at your branch. As far as I can tell, that code will happily accept an InRelease file that starts with correct signed bits, with random unsigned data appended. That seems wrong. Cheers, Julien
