[Secure-testing-team] Bug#610086: Do not use --allow-unauthenticated to fetch packages

[Thijs Kinkhorst]

Package: ia32-libs
Version: 20110115
Severity: important
Tags: security patch

Hi,

The fetch-and-build script uses --allow-unauthenticated to download the
packages to include in the build. This is quite undesirable because
essentially this unnecessarily breaks the trust chain for the hundreds
of megabytes of package data that are used to build this package.

Please include attached patch which resolves that by bootstrapping the
APT trustdb with the keys installed on the local system.


Cheers,
Thijs
-------------- next part --------------
--- fetch-and-build.orig	2011-01-15 11:09:06.691996158 +0100
+++ fetch-and-build	2011-01-15 11:31:58.643990659 +0100
@@ -59,15 +59,10 @@
 mkdir -p $APTDIR/state/lists/partial
 mkdir -p $APTDIR/cache/archives/partial
 echo -n > $APTDIR/state/status
+# Bootstrap APT keystore with the one from the local system
+cp -a /etc/apt/trusted.gpg $APTDIR/etc/
 
-# Probe apt version for --allow-unauthenticated
-APT_VER=$(apt-get --version | head --lines 1 | cut -d" " -f2)
-if dpkg --compare-versions "$APT_VER" ">=" 0.6; then
-  # Sid apt needs authentication
-  APT_AUTH="--allow-unauthenticated"
-fi
-
-APT_GET="$APT_GET $APT_AUTH"
+APT_GET="$APT_GET"
 
 $APT_GET update
 $APT_GET autoclean