-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, Dec 17, 2016 at 12:20:04AM +0100, Julian Andres Klode wrote: > On Fri, Dec 16, 2016 at 10:32:00PM +0000, Patrick Schleizer wrote: > > Could you please provide information on how long safe / unsafe lines are > > or how to detect them? > > > > Ideally could you please provide some sanity check command that could be > > used to detect malicious InRelease files such as 'find /var/lib/apt > > -name '*InRelease*' -size +2M' or so? > > Checking that wc -L (longest line) of the release file is reasonably small > (like 256, 512, or 1024) should be enough. Currently, it's about 140 chars > for unstable.
wc -L seems like a good one-liner, thanks! > > The problem is, > > > > - debootstrap can only bootstrap from one source such as > > 'http://ftp.de.debian.org/debian' - which still contains vulnerable apt. > > (Correct me if I am wrong, I would hope to be wrong on that one.) > > Right now yes. That will contain a new APT in a point release. That said, > there might be issues in debootstrap's Release file verification, someone > should check that... It looks like it uses Release.gpg, so this bug do not apply, right? - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJYVHioAAoJENuP0xzK19csiL8IAIetZlBLlR8EiNvDouC1SRjw c028w+CB5+YOA8RUukwtgaoljpaHnPGZ67BFKTgw2UKq5Srk+LVebPOOKXBrYRAA h7Ku+nzhVIYagHAbqYQ1ZqsmWyI7JK1y0PjyDtdnp2RGQONWr1llP/gju9dVg5sg ABv2CUeH0+/RRNuTFXxP2MBeciwaWfHxfEVgSvxhRLlZUqiNblcZqi4YAWNET/WU kfe5ntASdCbcs+kjk0GTB0I8EmDp/lj4uH2Y+hI6eVuOYmoFTxNkkth2pf7gQfv9 0lePfhnaEpKbuyMAP6SIkYk0kq92iL796y2Hk2JPE4CgjBJ7LzCXD3qBG8LmZQ8= =jN+8 -----END PGP SIGNATURE-----
