[Bug 1565889] Re: /install/filesystem.squashfs should be signed
Dimitri John Ledkov
launchpad at surgut.co.uk
Mon Apr 18 11:57:24 UTC 2016
** Information type changed from Private Security to Public Security
** Changed in: live-installer (Ubuntu)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to debian-cd in Ubuntu.
https://bugs.launchpad.net/bugs/1565889
Title:
/install/filesystem.squashfs should be signed
Status in Ubuntu CD Images:
Fix Released
Status in debian-cd package in Ubuntu:
Invalid
Status in live-installer package in Ubuntu:
Fix Committed
Bug description:
Prior to xenial, /install/filesystem.squashfs would only be used from
a locally booted and mounted media. In xenial, the live-installer
package was extended to automatically search a mirror, download
remotely and use filesystem.squashfs. Before xenial, such actions were
only performed upon explicit user request and from user supplied url.
Given that this is now done automatically, it is prudent to gpg sign
and validate such downloads prior to them being used. Otherwise an
avenue is opened for a "rogue" mirror to have a valid verbantim mirror
of the apt archive, yet a modified filesystem.squashfs which
unmodified verified d-i could be blindly using.
Ideally live-installer would simply use secure apt download facility
of arbitrary files with gpg signature verification, but I doubt that
anna currently supports that.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1565889/+subscriptions
More information about the foundations-bugs
mailing list