maas-import-pxe-files doesn't cryptographically verify what it downloads
Bug #1039513 reported by
Robie Basak
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MAAS |
Fix Released
|
Critical
|
Julian Edwards | ||
1.2 |
Fix Released
|
Critical
|
Julian Edwards | ||
1.3 |
Fix Released
|
Critical
|
Julian Edwards |
Bug Description
Currently, maas-import-
maas-import-
1) This prevents (easy) caching
2) archive.ubuntu.com doesn't appear to support HTTPS
3) The files we need are indirectly signed, so if we just try to verify what is there we'll end up with the same race condition that apt faces in bug 972077
summary: |
- maas-import-pxe-files should cryptographically verify what it downloads + maas-import-pxe-files doesn't cryptographically verify what it downloads |
Changed in maas: | |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: m-i-p-f tech-debt |
information type: | Private Security → Public |
Changed in maas: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
fwiw, this is a regression over the use of 'cobbler- ubuntu- import' , which does do gpg checking against /usr/share/ keyrings/ ubuntu- archive- keyring. gpg [1]. That was added under bug 974460.
Outside of the race condition, which I'm willing to ignore for the time being, we can just use the same solution there.
Note also that a "InRelease" (signed content in same file as payload) does not fix this entirely either, as there is still the race between downloading the ISO and the the signed file.
-- bazaar. launchpad. net/~ubuntu- branches/ ubuntu/ quantal/ cobbler/ quantal/ view/head: /debian/ cobbler- ubuntu- import# L86
[1] http://