[Pkg-ia32-libs-maintainers] Bug#610086: Lacking read permissions for /etc/apt/trusted.gpg

[Goswin von Brederlow]

Hi apt maintainers,

FYI: I got a bugreport (#610086) for ia32-libs because it still used
--allow-unauthenticated when fetching packages and sources. The problem
is that it runs apt-get as user so it does not have access to the
critical files in /etc/apt. I'm CCing you in the hope you have a
solution for this.


Thijs Kinkhorst <thijs at debian.org> writes:

> Package: ia32-libs
> Version: 20110115
> Severity: important
> Tags: security patch
>
> Hi,
>
> The fetch-and-build script uses --allow-unauthenticated to download the
> packages to include in the build. This is quite undesirable because
> essentially this unnecessarily breaks the trust chain for the hundreds
> of megabytes of package data that are used to build this package.
>
> Please include attached patch which resolves that by bootstrapping the
> APT trustdb with the keys installed on the local system.
>
>
> Cheers,
> Thijs
>
> --- fetch-and-build.orig	2011-01-15 11:09:06.691996158 +0100
> +++ fetch-and-build	2011-01-15 11:31:58.643990659 +0100
> @@ -59,15 +59,10 @@
>  mkdir -p $APTDIR/state/lists/partial
>  mkdir -p $APTDIR/cache/archives/partial
>  echo -n > $APTDIR/state/status
> +# Bootstrap APT keystore with the one from the local system
> +cp -a /etc/apt/trusted.gpg $APTDIR/etc/
>  
> -# Probe apt version for --allow-unauthenticated
> -APT_VER=$(apt-get --version | head --lines 1 | cut -d" " -f2)
> -if dpkg --compare-versions "$APT_VER" ">=" 0.6; then
> -  # Sid apt needs authentication
> -  APT_AUTH="--allow-unauthenticated"
> -fi
> -
> -APT_GET="$APT_GET $APT_AUTH"
> +APT_GET="$APT_GET"
>  
>  $APT_GET update
>  $APT_GET autoclean

Yeah, this would be nice. BUT:

-rw------- 1 root root 12K Nov 16  2009 /etc/apt/trusted.gpg

Non-root users do not have permissions for this file and I'm not going
to build ia32-libs as root.


Apt team: Would it be possible to make this file world readable?

MfG
        Goswin