On Mon, 2012-06-25 at 14:05 +0200, Axel Beckert wrote:
> HTTPS may not be supported by all mirrors returned by cdn.debian.net.
> Additionally for APT via HTTPS to work, a separate package
> (apt-transport-https) is needed which may not be installed. See also
> below.
Yeah,... and more over,... we can't trust the mirrors...


> I consciously avoid APT and dpkg at that point as the howto must work
> even when the dpkg or APT state databases are locked by a process
> running inside the currently not reachable screen session.
Valid point, too.
Does dpkg-deb work without locking? Probably...


> If so, this is potentially an alternative. But from my mind,
> I'd say there is some locking so this wouldn't work.
Probably.


> Cumbersome, but also an option.
As said...

> I though fear that it's too cumbersome
> so noone would actually check the hashsum.
Well I mean all we must do (IMHO) is to explicitly warn people.
If the users are stupid, you cannot forcibly prevent them from shooting
themselves into their foot.


Let me see...

> if [ -r /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ]; then
Is this always available? The squeeze keys might be dropped at some
point after wheezy, right?

>   gpgv --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg 
> Release.gpg Release
> else
>   gpgv Release.gpg Release
> fi
No handling if the verify step fails..



> sha256sum Packages.gz
> fgrep main/binary-$ARCH/Packages.gz Release
> # Check if hashsums are the same. If yes, continue
Ah.... you don't mean all this simple script... guess that would have
been better,.. cause now it's even more steps a user has to copy and
past and compare than the poor-man-sha512-sums idea from above.


> wget http://cdn.debian.net/debian/`zegrep -A13 '^Package: screen$' 
> Packages.gz | awk '/^Filename:/ {print $2}'`
> zegrep -A13 '^Package: screen$' Packages.gz
> sha256sum screen_*.deb
> # Check if hashsums are the same. If yes, continue
> dpkg-deb --fsys-tarfile screen_4.0.3-14*.deb | tar xvf - ./usr/bin/screen
> usr/bin/screen -rd
Apart from that it seems okay to me,... but it also doesn't handle the
case if any deps are required ("This includes also installing further
packages to get things done").


> sha256sum comes from coreutils, *grep from gzip + grep (all
> essential). Only wget and gpgv are just of priority important.
Well if someone has removed gpgv it's his own fault and he'll simply
have to kill the running screen sessions.

In general I'd say this:
- a script which does the above automatically and absolutely securely
(i.e. it fails with no unpacked screen binary if something cannot be
verified), which is removed after wheezy, would be the best.


- OTOH, as you already provide information that 4.1 cannot connect to
pre 4.1 in the NEWS file, anyone installing it, should be able to clean
up such existing sessions cleanly, before upgrading at all.
Even if not,... the /tmp solution should work in 99% of all cases.
And now if that didn't work, we have this howto.

So I mean, we're basically already securing the fallback of the
fallback ;)


- Therefore, a plain hint (in the news file), that checking the trust
paths of the deb files is utterly important, otherwise possibly
compromising the system security, would in principle also be okay for
me.


- Whatever is done however, howto, script, hint... it's important IMHO
that this is part of the package.
It's useless if we provide a howto or script on, say wiki.debian.org,
because this may not be securely reachable by the user.


> As mentioned above, it must also work if dpkg or APT are locked and I
> suspect that this means that apt-get can't be used at all.
Yes,.. possible this doesn't work.
OTOH one could also argue again,... that the user then simply has to
kill the session.
Because how could we likely end up in the above scenario?
The only one I can imagine is:
The user is upgrading screen with apt-get/aptitude/dpkg...
He can only do so, if no apt-get/aptitude/dpkg are running, because
otherwise, they would be locked.
So if that problem arises,... the user is just now updating screen from
within a screen session.
But I guess that session will continue to live, right?
So when he leaves or quits it, apt-get/dpkg is likely state where it is
stopped or can be killed.




Cheers,
Chris.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to