Julian Andres Klode: > (2) look at the InRelease file and see if it contains crap > after you updated (if it looks OK, it's secure - you need > fairly long lines to be able to break this)
Thank you for that hint, Julian! Can you please elaborate on this? (I am asking for Qubes and Whonix (derivatives of Debian) build security purposes. [1]) Could you please provide information on how long safe / unsafe lines are or how to detect them? Ideally could you please provide some sanity check command that could be used to detect malicious InRelease files such as 'find /var/lib/apt -name '*InRelease*' -size +2M' or so? The problem is, - debootstrap can only bootstrap from one source such as 'http://ftp.de.debian.org/debian' - which still contains vulnerable apt. (Correct me if I am wrong, I would hope to be wrong on that one.) - bootstrapping from 'http://security.debian.org' is not possible [contains only security updates, not a complete repository]. - So in conclusion one has a chance to get compromised when bootstrapping from 'http://ftp.de.debian.org/debian' and then apt-get upgrading from 'http://security.debian.org'. Is there any way to break this cycle? Best regards, Patrick [1] https://github.com/QubesOS/qubes-issues/issues/2520 -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/735685eb-5968-79ae-e22f-71d0d2fd9c56%40riseup.net. For more options, visit https://groups.google.com/d/optout.
