Project

General

Profile

Feature #8507

Evaluate how safe our usage of di-netboot-assistant is

Added by intrigeri almost 5 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Infrastructure
Target version:
Start date:
01/01/2015
Due date:
% Done:

0%

Feature Branch:
Type of work:
Debian
Blueprint:
Starter:
Affected tool:

Description

It lives in the libvirt::host::di_netboot_assistant class and libvirt::host::di_netboot_assistant::distribution defined resource in https://git-tails.immerda.ch/puppet-libvirt.


Related issues

Related to Tails - Bug #10092: Use di-netboot-assistant in a safer way Resolved 08/25/2015

History

#1 Updated by bertagaz almost 5 years ago

If the process to update the installer pxe files is to remove the old ones and run puppet agent again for the recipe to download the new installer, then we might lack a bit of authenticity verification.

di-netboot-assistant doesn't seem to verify by itself the installer files it downloads (according to http://anonscm.debian.org/cgit/d-i/netboot-assistant.git/tree/di-netboot-assistant).

#2 Updated by intrigeri almost 5 years ago

di-netboot-assistant doesn't seem to verify by itself the installer
files it downloads

Is there an upstream bug for that?

#4 Updated by bertagaz over 4 years ago

  • Type of work changed from Audit to Debian

#5 Updated by intrigeri about 4 years ago

di-netboot-assistant 0.39's changelog reads:

  • Implement the inclusion of debian-installer packages. Add
    instructions to the README and a warning when installing insecurely.

... which should solve our concerns.

#6 Updated by intrigeri about 4 years ago

  • Related to Bug #10092: Use di-netboot-assistant in a safer way added

#7 Updated by intrigeri about 4 years ago

  • Status changed from Confirmed to Resolved

Evaluation completed, next step is #10092.

#8 Updated by BitingBird about 4 years ago

  • Target version set to Tails_1.6

Also available in: Atom PDF