Julien Cristau writes: > On Thu, Mar 3, 2016 at 21:12:06 -0500, Mathieu Trudel-Lapierre wrote: >> Looking into a bug in Ubuntu relating to an out of sync proxy, InRelease >> file support in debootstrap came up. >> >> I found out that debootstrap had already had such support in the past >> (specifically, in 1.0.47 and earlier) and that was removed by Julien >> Cristau because it also pulled in a fuller gpg, which comes with its own >> set of potential issues. >> >> Seems like we could well put it back in and just replace the bit that >> extracts the signed data in InRelease (same as is in Release) with using >> sed and grep to remove the signature text. >> >> I did the work and pushed it to git at >> http://anonscm.debian.org/cgit/d-i/debootstrap.git/log/?h=people/cyphermox/inrelease. >> As before, this would default to using the InRelease file from the >> archive first, if available, and otherwise fallback to using the usual >> Release + Release.gpg. >> >> Is there any interest for supporting this again? I would like some >> feedback on the code branch, then I'd be happy to merge it to master >> (but I would still need someone to sponsor the upload). >> > Hi Mathieu, > > I had a look at your branch. As far as I can tell, that code will > happily accept an InRelease file that starts with correct signed bits, > with random unsigned data appended. That seems wrong.
If you restore support for `InRelease` and want to use `gpgv`, please split `InRelease` into two files, i.e. `Release` and `Release.gpg`, and verify that the signature actually covers all of `Release`. Calling `gpgv` on `InRelease` and then hoping to extract the right part is quite error-prone. (As Julien notes and I agree.) Quite a lot of tools in Debian got this wrong, see for example CVE-2013-1051. As far as I understand, splitting `InRelease` into data and detached signature is also what `apt` does these days. Ansgar
