[Secure-testing-team] [RFC] in-d-i upgrades

Joey Hess joeyh at debian.org
Sat Jun 28 20:40:55 UTC 2008 

I've been working on a fix for bug #479431, and before I apply it to
d-i, I want to make you aware of it, since it can have repercussions to
DSAs and release management.

To summarize the problem for non-d-i developers: 

  If a user is installing from a CD or mirror, debootstrap is used to
  install packages from that CD/mirror, and d-i also installs a kernel
  and some other packages, before security.debian.org is configured as
  an apt source. So, many installations do not get all security updates
  applied, until the user manually upgrades the system later. This is a
  potentially crucial window to close.

  While it might be nice for debootstrap to pull in security fixes from
  security.debian.org from the beginning, this is not possible given its
  current design, and some of its constraints such as needing to be
  implemented portably and run in the limited d-i environment also make
  it hard to it have this capability.

Rather than change debootstrap, I modified d-i to upgrade packages that
debootstrap has installed, once security sources are available. The
problem with doing such an upgrade inside d-i, though, is that it
exposes installations to the entire class of problems that can occur
during an upgrade[1], and breaks the installation process if the upgrade
fails for some reason.

So if we make this change to d-i, the security and release teams can be
affected.

security teams:

  If you're making a D[T]SA for a package that is installed by
  debootstrap, or of the kernel, or of (some) of the other packages listed
  at <http://release.debian.org/britney/noremove.d/> (d-i* files), you
  will need to keep in mind that d-i will upgrade it to the fixed version
  inside the d-i environment, and that all the issues I list in [1] should
  be avoided.

  Notable amoung these are avoiding non-debconf prompts, which can
  hang/confuse d-i, and trying to avoid prompts that don't make sense in d-i,
  such as the kernel's warning about upgrading a running kernel version.

release team:

  I guess the main impact will be that, after a d-i release candidate is
  available, any updates to base or the d-i noremove.d packages have the
  potential to cause any of the abovementioned upgrade problems, and if
  that happens, someone will have to notice and fix it. 
  
I don't like that this change adds a new class of problems to watch out
for, and tends to make things a bit more fragile. But having new
installs boot up to an insecure kernel, running insecure daemons, when
fixes are available on security.debian.org, is just too large a risk to
leave in the installer in a world where windows machines are known to be
hacked into in the period between their first boot and application of
security fixes.

(By the way, it will be possible to disable the upgrades, eg by booting
d-i with "pkgsel/upgrade=none".)

-- 
see shy jo

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=479431#69
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080628/439ccfdc/attachment.pgp

More information about the Secure-testing-team mailing list