The changelog.txt is always downloaded. It will never cached. All other files in tds.net will be cached.
|
I found a security bug in slackpkg/slackpkg+, but I'm not sure if I want/can/should/must to fix it.
slackpkg+ is used also for ConnochaetOS. It is not a problem but the repository contains also a MODIFIED mirror of slackware-14.1 where the author has added some metadata (deps file). Then he has added his own GPG-KEY to sign the CHECKSUMS.md5 Code:
pub 4096R/132DCE57 2015-04-13 [expires: 2025-04-10] Code:
$ gpg --import GPG-KEY Code:
$ wget https://connochaetos.org/slack-n-free/salix/i486/slackware-14.1/slackware/a/aaa_base-14.1-i486-1.txz This is the first security bug. gpg --verify checks the sign file with all key trusted. I expect that in slack-n-free repository I see connochaetos packages only; instead I see also slackware packages (but I may find also alienbob/slacky/other packages, copied from original repository). Or slackpkg install should tell to the user some information about its authenticity (the subject of the key that has signed the file), instead to tell he just about integrity. Also, in config example file where the author suggests to add this repository in /etc/slackpkg/mirrors Now when I run slackpkg update gpg, it does not import the slackware gpg-key, so the installation/upgrade of slackware packages from that fake slackware repository will fails. This is a functional bug AND the second (and I think the major) security bug, i.e. I can put in /etc/slackpkg/mirrors a mirror of slackware not signed with the original slackware signature. When you start slackpkg, it does verify that there is the official slackware key imported in gnupg db Code:
SLACKKEY=${SLACKKEY:-"Slackware Linux Project <security@slackware.com>"} Code:
function checkgpg() { It is not a big security bug becouse even if a package is signed with a different key, however the key was trusted in gnupg store from the user. In effect the question is not "how to fix?" but "do we need to fix?". A fix could break some repository. Notes that ConnochaetOS is a SalixOS based distribution. Salix is based on slapt-get package tool to manage dependencies, so it NEEDS a slackware repository with deps metadata. The Salix official repository signs just the CHECKSUMS.md5 with the GPG-KEY; all packages are not signed (so that you need to install it with slackpkg -checkgpg=off) Any suggests? |
Slackpkg was not created with multiple 3rd party support in mind, so the checkgpg function is pretty basic and seems to assume that slackpkg will only install Slackware packages and therefore a check against a specific GPG key is not needed.
However, slackpkg was also written to be extensible. Which is why you were able to write your slackpkg+ extension. I think that the checkgpg() function needs to be re-implemented (extended) as part of slackpkg+; the function should do a "gpg --verify" against the GPG key of the repository from which you are installing the package, and installation of the package should be aborted if the GPG check fails for the package. This implies that all packages in a single repository need to be signed with a single GPG key. The ConnochaetOS apparently contains a mix of packages, from Slackware, Salix and from ConnochaetOS? That is not a good idea. The solution would be to offer multiple sub-repositories, each containing packages that have been signed with just a single GPG key. Also, it would be good if any URL that gets added to the official "/etc/slackpkg/mirrors" file, contains ONLY packages signed with the Slackware GPG key. There must be no room for 3rd party repositories in the official "mirrors" file. This is to protect people against carelessness. If it would ever happen that a bogus Slackware repository with infected packages finds its way into the "mirrors" file and those packages get installed, we are screwed. I think this extension to the checkgpg() function should be submitted back as a fix to slackpkg as well, because at this moment it gives a false sense of security. |
Quote:
Code:
--- /usr/libexec/slackpkg/core-functions.sh 2015-12-16 08:01:12.000000000 +0100 But more sure may be to check the fingerprint: Code:
gpg --verify ${1}.asc ${1} 2>&1|grep -q "EC56 49DA 401E 22AB FA67 36EF 6A44 63C0 4010 2233" && echo "1" || echo "0" notes that this fingerprint is valid up to the year 2038. Quote:
https://connochaetos.org/slack-n-free/slack-n-free-14.1 -> contains specifics ConnochaetOS, all signed with the ConnochaetOS key https://connochaetos.org/slack-n-free/salix/i486/14.1 -> contains a modified copy of salix repository; salix does not sign every single packages, so here there are only file signed with ConnochaetOS key https://connochaetos.org/slack-n-fre...slackware-14.1 -> contains a modified copy of slackware repository; here all packages are signed with the official slackware key, but the CHECKSUMS.md5 is signed with ConnochaetOS key. |
Never mind, nothing to see here, just move along.
|
Quote:
|
Yes, it was a draft to give an idea.
|
Hello,
Quote:
Code:
--- slackpkgplus.sh.orig 2015-12-29 16:49:57.066470655 +0100 SeB |
Thankyou. I was writting a similar patch that write keyids/repository in a file, then --verify do a grep on the output.
But your solution is better. I'm testing it. n.b.: I just commited in devel branch. No functionality touched, but I had just resort/reindent the code and moved zdialogplus.sh into slackpkgplus.sh (so slackpkgplus is just one file) Your patch works but with 280 lines offset |
Quote:
I'm sorry [edit] ok, recommited. |
I added something to your patch. (need other testing)
Code:
--- a/src/slackpkgplus.sh |
I made an additional tool (currently not slackpkg+ depended) to generate a CHECKSUMS.md5.log everytime you run slackpkg update
Code:
Wed Dec 30 22:11:28 CET 2015 put it in /usr/libexec/slackpkg/functions.d/zchangelog.sh Code:
test -n "$(declare -f cleanup)" || return |
I'm seeing some weird slackpkg+ response, with "grep:write error" and "grep: write error: Broken pipe" when attempting to install-new or upgrade-all if nothing is found. Then eventually when a package is found to install or upgrade the ncurses screen is appearing. Do I need to again revert to -3mt? Is anyone else seeing this behavior? I'm running Slackware 64 v14.1 with Multilib and KTOWN. Thanks
|
I did not see this with install-new, but I do have 2 options for upgrade that I won't upgrade. One is a MPlayer that I custom built, the other is an older ffmpeg for the custom MPlayer.
|
@bamunds
Please run bash -x slackpkg install-new and attach the output |
All times are GMT -5. The time now is 11:14 AM. |