Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

[Mike Gabriel]

Hi Wolfgang, hi Holger,

On  Fr 16 Aug 2019 11:41:56 CEST, Wolfgang Schweer wrote:

On Thu, Aug 15, 2019 at 03:54:54PM +0000, Holger Levsen wrote:

On Thu, Aug 15, 2019 at 02:38:33PM +0000, Debian FTP Masters wrote:
> Source: debian-edu-config
> Version: 2.10.67
[...]
>    debian-edu-config.fetch-ldap-cert:
>      - Fully inline-document fetch-ldap-cert script.

this is really great

>      - White-space-only change: Fix broken and inconsistent indentations.

looking at the debdiff between in whats in stable and this it seems this
is mostly not visible because its basically/almost a rewrite anyway:


 Makefile                                                             |    2

 cf3/cf.homes                                                         |    2
 cf3/cf.workarounds                                                   |   16
 cf3/edu.cf                                                           |    1

 debian/control                                                       |    2

 debian/debian-edu-config.postinst                                    |   14
 etc/ltsp/ltsp-build-client.conf                                      |    2

 share/debian-edu-config/edu-firefox-nfs                              |    1
 share/debian-edu-config/sudo-ldap.conf                               |    1
 share/debian-edu-config/tools/create-debian-edu-certs                |    2
 share/debian-edu-config/tools/kerberos-kdc-init                      |    5
 share/ltsp/plugins/ltsp-build-client/Debian-custom/001-ltsp-settings |    4
 17 files changed, 418 insertions(+), 139 deletions(-)


as the release team really dislikes them.)\

$ debdiff debian-edu-config_2.10.65.dsc debian-edu-config_2.10.67.dsc|diffstat cf3/cf.finalize | 52 + debian/changelog | 96 +++ debian/debian-edu-config.fetch-ldap-cert | 283 ++++++++-- etc/network/if-up.d/hostname | 43 - share/debian-edu-config/d-i/finish-install | 31 - (so maybe it would have been wiser not to mention the white-space only changes,

however/anyway, I'm not sure we can get this past the release team for
the stable point release. we might. we think all these changes are
useful/needed for stable, right?

Useful, yes; but IMO we could get along for Buster without the
fetch-ldap-cert related changes introduced in d-e-c 2.10.67 in case the
stable release team dislikes these.

Disagreeing here.

The fetch-ldap-cert changes are security related and get things right about the rootCA handling in Debian Edu buster. The white-space changes are awkward to review, but the readability of the script is much better now (as indentation is now correct + all the comments). (And: we, that is Holger, have/has got other d-e-c changes into a stable-pu, as we don't affect other software packages).

Among improved checks for a lot of possible failures, the rewrite has
the benefit of validating the LDAP server certificate against the Debian
Edu rootCA one (the version shipped with d-e-c 2.10.66 did this against
the bundle-crt certificate). Both are downloaded from www.intern, as
opposed to the LDAP server cert that is fetched from the LDAP server
itself. The bundle certificate contains the Debian Edu rootCA
certificate and the multipurpose server certificate (as a chain). This
server certificate is used for all configured Debian Edu server
services, included the LDAP service. While using the single Debian Edu
rootCA certificate for validation is the better way to go, the bundle
certificate can be used as well.

Yes. Thanks for pointing this out!!! It is the much better / cleaner / expected-by-admins approach.

Another improvement of the fetch-ldap-cert script shipped with d-e-c
2.10.67 is the use of independent conditions for host and LTSP chroot
(instead of the global condition introduced with commit f8f436e); but
then the drawback caused by this change for LTSP chroots has also been
dealt with via d-e-c 2.10.66 fixes.

Mike, please comment.

Mike

--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

Futhermore, we now entirely fixed backwards compatibility (new Debian Edu clients running against old Debian Edu TJENERs). This was the main flaw of the original Debian 10.0 implementation. You can't use Debian Edu 10 clients on a network running on a TJENER from 9.x or 8.x. While investigating this, Petter pointed us to the security flaw of always updating the LDAP server certificate on clients. Only deploying the LDAP server cert once protects the user against password sniffing, if someone malign takes over the network. Thus, fetch-ldap-cert must get into buster IMHO, it's a rewrite and it now is easy to read,

pgpiB5VDr4FJk.pgp
Description: Digitale PGP-Signatur