Evaluate how safe our usage of di-netboot-assistant is
It lives in the
libvirt::host::di_netboot_assistant class and
libvirt::host::di_netboot_assistant::distribution defined resource in https://git-tails.immerda.ch/puppet-libvirt.
#1 Updated by bertagaz almost 5 years ago
If the process to update the installer pxe files is to remove the old ones and run puppet agent again for the recipe to download the new installer, then we might lack a bit of authenticity verification.
di-netboot-assistant doesn't seem to verify by itself the installer files it downloads (according to http://anonscm.debian.org/cgit/d-i/netboot-assistant.git/tree/di-netboot-assistant).
#3 Updated by BitingBird almost 5 years ago
If i found the right page, then the answer is no: https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=di-netboot-assistant
#4 Updated by bertagaz over 4 years ago
- Type of work changed from Audit to Debian
Reported to Debian in bug 775904