Package: debootstrap Version: 1.0.126+nmu1 Severity: normal Tags: security
Hey there. As far as I understood it, debootstrap defaults neither to --no-check-gpg nor to --force-check-gpg, but instead, if a keyring is speicified for some distribution and if that file is available, it uses (and verifies) these (and hopefully fails if anything fails later on). However, it also: - falls back to https (?) - correct me if I'm wrong, falls back to no verification if no key file was specified for the distribution or the file wasn't found That seems to make to too easy to accidentally install untrusted code. https is generally questionable, given the broken CA-model. There are some 150 CAs in the Mozilla CA bundle, and on top of these thousands of intermediate CAs. It seems far too easy for an attacker to fake a certificate if that's really desired. So my suggestion would be: - defaut to --force-check-gpg - add some --check-gpg-but-fallback-to-https option that is the current behaviour - if either the /usr/share/debootstrap/scripts/ for some distro doesn't name a keyring file or that file isn't readable, fail unless --no-check-gpg is given. Yes, that also includes failure if --check-gpg-but-fallback-to-https was given because likely the keyring file should be just there. Cheers, Philippe