[buildd-tools-devel] Bug#816897: sbuild --build-dep-resolver=aptitude will install packages from untrusted sources

Johannes Schauer josch at debian.org
Sun Apr 3 06:10:03 UTC 2016 

Hi Ansgar,

On Sun, 06 Mar 2016 13:25:21 +0100 Ansgar Burchardt <ansgar at debian.org> wrote:
> sbuild --build-dep-resolver=aptitude will install packages from
> untrusted sources.

I cannot reproduce your findings.

I created a directory on my host with the sbuild packages from experimental,
ran:

	$ dpkg-scanpackages . /dev/null > Packages
	$ apt-ftparchive release . > Release

Then served that directory via http:

	$ python -m SimpleHTTPServer 8000

And then crafted a dummy source package with:

	Build-Depends: debhelper, sbuild (= 0.68.0-1.0~exp1), libsbuild-perl (= 0.68.0-1.0~exp1)

Then I run:

	sbuild --extra-repository="deb http://127.0.0.1:8000/ ./" --build-dep-resolver=aptitude

And I get:

	The following NEW packages will be installed:
	  apt-utils{a} autotools-dev{a} bsdmainutils{a} dctrl-tools{a} debhelper{a} devscripts{a} dh-python{a} dh-strip-nondeterminism{a} file{a} gettext{a} gettext-base{a} groff-base{a} intltool-debian{a} libapt-inst2.0{a} libarchive-zip-perl{a} libboost-program-options1.58.0{a} libbsd0{a} libclass-data-inheritable-perl{a} libcroco3{a} libdevel-stacktrace-perl{a} libemail-date-format-perl{a} libexception-class-perl{a} libexpat1{a} libffi6{a} libfile-stripnondeterminism-perl{a} libfilesys-df-perl{a} libglib2.0-0{a} libicu55{a} libio-socket-ssl-perl{a} libmagic1{a} libmailtools-perl{a} libmime-lite-perl{a} libmpdec2{a} libnet-smtp-ssl-perl{a} libnet-ssleay-perl{a} libpipeline1{a} libpython3-stdlib{a} libpython3.5-minimal{a} libpython3.5-stdlib{a} libsbuild-perl{a} libssl1.0.2{a} libtimedate-perl{a} libunistring0{a} libxml2{a} man-db{a} mime-support{a} netbase{a} po-debconf{a} python3{a} python3-minimal{a} python3.5{a} python3.5-minimal{a} sbuild{a} sbuild-build-depends-testpkg-dummy schroot{a} schroot-common{a} 
	The following packages are RECOMMENDED but will NOT be installed:
	  at citadel-mta courier-mta curl debian-keyring debootstrap dma dput dput-ng dupload equivs esmtp-run exim4 exim4-daemon-heavy exim4-daemon-light ifupdown ifupdown2 libauthen-sasl-perl libdistro-info-perl libencode-locale-perl libglib2.0-data liblwp-protocol-https-perl libmail-sendmail-perl libmime-types-perl libnet-idn-encode-perl libnet-libidn-perl libsoap-lite-perl liburi-perl libwww-perl lintian lynx-cur masqmail msmtp-mta netscript-2.4 nullmailer opensmtpd patchutils postfix python3-debian python3-magic qmail-run sendmail-bin shared-mime-info ssmtp strace unzip wdiff wget xdg-user-dirs xml-core 
	0 packages upgraded, 56 newly installed, 0 to remove and 0 not upgraded.
	Need to get 27.7 MB/27.7 MB of archives. After unpacking 100 MB will be used.
	WARNING: untrusted versions of the following packages will be installed!
	
	Untrusted packages could compromise your system's security.
	You should only proceed with the installation if you are certain that
	this is what you want to do.
	
	  libsbuild-perl http://127.0.0.1:8000/./libsbuild-perl_0.68.0-1.0~exp1_all.deb
	  sbuild http://127.0.0.1:8000/./sbuild_0.68.0-1.0~exp1_all.deb
	
	Do you want to ignore this warning and proceed anyway?
	To continue, enter "yes"; to abort, enter "no": Abort.
	Not removing installed packages: cloned chroot in use
	
	+------------------------------------------------------------------------------+
	| Cleanup                                                                      |
	+------------------------------------------------------------------------------+
	
	Purging /<<BUILDDIR>>
	Not cleaning session: cloned chroot in use
	E: Package build dependencies not satisfied; skipping

So aptitude is indeed aborting the installation as expected. The situation
doesn't change when I sign the Release file with my own key either.

Can you give me more detailed steps of how to reproduce the effect you see?

Thanks!

cheers, josch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20160403/4ef9228f/attachment.sig>

More information about the Buildd-tools-devel mailing list