On Sunday, 26 November 2023 4:56:03 AM AEDT Christoph Anton Mitterer wrote: > The most recent upgrade forces people to use > update-smart-drivedb by doing it already in the postinst and not leaving it > up to the user whether he wants to use such a tool. > > Security-wise this is really a bad idea.
I think you misunderstood that invocation of `update-smart-drivedb` in postinst is an equivalent of ``` cp -f /usr/share/smartmontools/drivedb.h /var/lib/smartmontools/drivedb/ ``` See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006019#17 as well as https://salsa.debian.org/debian/smartmontools/-/commit/5b1fd114a Of course I would not recommend to download drivedb from postinst and this is not what's happening. > Even if the downloader tool does everything right (which is actually quite > difficult if one assumes things like replay or blocking attacks), there's > still code introduced which is not in the control of Debian and especially > also outside security support. IMHO this is a valid concern, however this tool is not used as downloader in postinst. What do you think, Paul? > Now you may argue that Debian doesn't audit the drivedb.h it ships either > and that thus security wouldn't be any better if Debian would just ship > the upstream file. > But there's still a difference: > If Debian ships the package, then all installations are guaranteed to get > the same file. Debian ships the file. Merely installation method has changed, nothing else. > If however the package is downloaded from some remote server, an attacker > can choose based on IP whether the "good" or the "evil" file is delivered. File is NOT downloaded from postinst. > And this is not to say that I'd assume smartmontools upstream would be > evil. But even their GPG keys or systemd can be compromised. A lot of things can be compromised. Far-fetched paranoid speculations hardly make the case stronger. > But please don't force it on everyone by unconditionally calling it from > postinst (or from anywhere else). I read your concerns, but reality of what you've described is not what actually happening. -- Kind regards, Dmitry Smirnov GPG key : 4096R/52B6BBD953968D1B --- It is strange that many believe they cannot control themselves, but they can control others. -- Robert LeFevre, "A Way to Be Free: The Autobiography of Robert LeFevre, Volume I" (1999)
signature.asc
Description: This is a digitally signed message part.
