Patrick Schleizer: > Julian Andres Klode: >> (2) look at the InRelease file and see if it contains crap >> after you updated (if it looks OK, it's secure - you need >> fairly long lines to be able to break this) > > Thank you for that hint, Julian! > > Can you please elaborate on this? (I am asking for Qubes and Whonix > (derivatives of Debian) build security purposes. [1]) > > Could you please provide information on how long safe / unsafe lines are > or how to detect them? > > Ideally could you please provide some sanity check command that could be > used to detect malicious InRelease files such as 'find /var/lib/apt > -name '*InRelease*' -size +2M' or so? > > The problem is, > > - debootstrap can only bootstrap from one source such as > 'http://ftp.de.debian.org/debian' - which still contains vulnerable apt. > (Correct me if I am wrong, I would hope to be wrong on that one.) > > - bootstrapping from 'http://security.debian.org' is not possible > [contains only security updates, not a complete repository]. > > - So in conclusion one has a chance to get compromised when > bootstrapping from 'http://ftp.de.debian.org/debian' and then apt-get > upgrading from 'http://security.debian.org'. > > Is there any way to break this cycle? > > Best regards, > Patrick > > [1] https://github.com/QubesOS/qubes-issues/issues/2520 >
One thing that would help a lot with future issues like this is to use only encrypted connections in /etc/apt/sources.list. That can be either HTTPS or a Tor Hidden Service .onion address. For in depth discussion of this, see: * https://labs.riseup.net/code/issues/8143 * https://guardianproject.info/2016/07/31/howto-get-all-your-debian-packages-via-tor-onion-services/ * https://guardianproject.info/2014/10/16/reducing-metadata-leakage-from-software-updates/ For the official Debian Tor Hidden Service addresses including apt mirrors, see: https://onion.debian.org/ .hc
