On Mon, 2012-06-25 at 14:05 +0200, Axel Beckert wrote: > HTTPS may not be supported by all mirrors returned by cdn.debian.net. > Additionally for APT via HTTPS to work, a separate package > (apt-transport-https) is needed which may not be installed. See also > below. Yeah,... and more over,... we can't trust the mirrors...
> I consciously avoid APT and dpkg at that point as the howto must work > even when the dpkg or APT state databases are locked by a process > running inside the currently not reachable screen session. Valid point, too. Does dpkg-deb work without locking? Probably... > If so, this is potentially an alternative. But from my mind, > I'd say there is some locking so this wouldn't work. Probably. > Cumbersome, but also an option. As said... > I though fear that it's too cumbersome > so noone would actually check the hashsum. Well I mean all we must do (IMHO) is to explicitly warn people. If the users are stupid, you cannot forcibly prevent them from shooting themselves into their foot. Let me see... > if [ -r /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ]; then Is this always available? The squeeze keys might be dropped at some point after wheezy, right? > gpgv --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg > Release.gpg Release > else > gpgv Release.gpg Release > fi No handling if the verify step fails.. > sha256sum Packages.gz > fgrep main/binary-$ARCH/Packages.gz Release > # Check if hashsums are the same. If yes, continue Ah.... you don't mean all this simple script... guess that would have been better,.. cause now it's even more steps a user has to copy and past and compare than the poor-man-sha512-sums idea from above. > wget http://cdn.debian.net/debian/`zegrep -A13 '^Package: screen$' > Packages.gz | awk '/^Filename:/ {print $2}'` > zegrep -A13 '^Package: screen$' Packages.gz > sha256sum screen_*.deb > # Check if hashsums are the same. If yes, continue > dpkg-deb --fsys-tarfile screen_4.0.3-14*.deb | tar xvf - ./usr/bin/screen > usr/bin/screen -rd Apart from that it seems okay to me,... but it also doesn't handle the case if any deps are required ("This includes also installing further packages to get things done"). > sha256sum comes from coreutils, *grep from gzip + grep (all > essential). Only wget and gpgv are just of priority important. Well if someone has removed gpgv it's his own fault and he'll simply have to kill the running screen sessions. In general I'd say this: - a script which does the above automatically and absolutely securely (i.e. it fails with no unpacked screen binary if something cannot be verified), which is removed after wheezy, would be the best. - OTOH, as you already provide information that 4.1 cannot connect to pre 4.1 in the NEWS file, anyone installing it, should be able to clean up such existing sessions cleanly, before upgrading at all. Even if not,... the /tmp solution should work in 99% of all cases. And now if that didn't work, we have this howto. So I mean, we're basically already securing the fallback of the fallback ;) - Therefore, a plain hint (in the news file), that checking the trust paths of the deb files is utterly important, otherwise possibly compromising the system security, would in principle also be okay for me. - Whatever is done however, howto, script, hint... it's important IMHO that this is part of the package. It's useless if we provide a howto or script on, say wiki.debian.org, because this may not be securely reachable by the user. > As mentioned above, it must also work if dpkg or APT are locked and I > suspect that this means that apt-get can't be used at all. Yes,.. possible this doesn't work. OTOH one could also argue again,... that the user then simply has to kill the session. Because how could we likely end up in the above scenario? The only one I can imagine is: The user is upgrading screen with apt-get/aptitude/dpkg... He can only do so, if no apt-get/aptitude/dpkg are running, because otherwise, they would be locked. So if that problem arises,... the user is just now updating screen from within a screen session. But I guess that session will continue to live, right? So when he leaves or quits it, apt-get/dpkg is likely state where it is stopped or can be killed. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature

