Hi, On Mon, 27 May 2019, Vagrant Cascadian wrote: > So it's non-trivial to add support for arbitrary files in arbitrary > directories in a secure manner...
I would argue that the security aspect here is somewhat irrelevant. simple-cdd is run against a repository/mirror that is selected by the user. If he selects a malicious mirror, the malicious mirror can do much more harm... no matter whether this file exists or not. > > In my specific case, the Debian mirror is created with "debmirror" > > and this tool doesn't include that file. But I could also mention the > > case of many derivatives that just use reprepro. > > Maybe these other tools could add support for extrafiles? Maybe, but it's unlikely. Those tools are meant to create/ mirror APT repositories and arguably this extrafile is just not part of any concept of an APT repository. To me it's really clear that it's simple-cdd that should have the required flexibility. > It's unfortunate that it may not work in all environments, though > simple-cdd has always targeted building images with files from > debian.org, and not arbitrary locations. When you sell yourself as a tool to create "Custom Debian Distribution", IMO you should support being built against custom debian mirror. Due to the flexibility of simple-cdd, it has always been used by private derivatives and the like, it would be sad to lose those users. > A patch to enable support without extrafiles would, of course, be > considered if it didn't risk degrading the trust path by default. I'm sorry, I don't have the time for this. Do you want to tag this bug help then? Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
signature.asc
Description: PGP signature
