Bug #10092: Use di-netboot-assistant in a safer way

Bug #10092

Use di-netboot-assistant in a safer way

Added by intrigeri 2015-08-25 01:44:53 . Updated 2017-02-05 09:50:28 .

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Infrastructure

Target version:

Tails_2.11

Start date:

2015-08-25

Due date:

% Done:

100%

Feature Branch:

Type of work:

Sysadmin

Blueprint:

Starter:

Affected tool:

Deliverable for:

280

Description

As discussed on ~~Feature #8507~~, our current usage is not super safe. With di-netboot-assistant 0.39 we could do better, as its changelog reads:

* Implement the inclusion of debian-installer packages. Add
instructions to the README and a warning when installing insecurely.

Let’s try that!

Subtasks

Related issues

Related to Tails - ~~Feature #8507~~: Evaluate how safe our usage of di-netboot-assistant is

Resolved

2015-01-01

History

#1 Updated by intrigeri 2015-08-25 01:45:06

related to ~~Feature #8507~~: Evaluate how safe our usage of di-netboot-assistant is added

#2 Updated by intrigeri 2015-10-05 13:17:47

Target version changed from Tails_1.7 to 2016

#3 Updated by intrigeri 2016-08-27 09:56:48

Target version deleted (~~2016~~)

#4 Updated by intrigeri 2016-10-29 07:35:21

Description updated

#5 Updated by intrigeri 2016-10-29 10:26:52

Status changed from Confirmed to In Progress
Assignee changed from intrigeri to bertagaz
Target version set to Tails_2.7
% Done changed from 0 to 50
QA Check set to Ready for QA
Deliverable for set to 270

Done (mostly in puppet-libvirt), applied.

#7 Updated by bertagaz 2016-11-07 17:31:20

Deliverable for changed from 270 to SponsorS_Internal

#11 Updated by bertagaz 2016-11-09 11:15:33

Assignee changed from bertagaz to intrigeri
QA Check changed from Ready for QA to Info Needed

Had a look and I like it, except I have one question:

Line 12-20 in puppet-libvirt:manifests/host/di_netboot_assistant.pp:

  apt::preferences_snippet { 'di-netboot-assistant':
    ensure   => $di_netboot_assistant_pinning_ensure,
    pin      => 'release o=Debian,n=stretch',
    priority => '991',
  } 
  package { ['di-netboot-assistant', 'syslinux']:
    ensure  => installed,
    require => Apt::Preferences_snippet['di-netboot-assistant'],
  }

if $di_netboot_assistant_pinning_ensure is absent, won’t we have a missing dependency for the packages as the apt::preferences_snippet resource won’t be installed?

#12 Updated by intrigeri 2016-11-09 17:28:29

Assignee changed from intrigeri to bertagaz
QA Check changed from Info Needed to Ready for QA

> Had a look and I like it,

> except I have one question:

> Line 12-20 in puppet-libvirt:manifests/host/di_netboot_assistant.pp:

>   apt::preferences_snippet { 'di-netboot-assistant':
>     ensure   => $di_netboot_assistant_pinning_ensure,
>     pin      => 'release o=Debian,n=stretch',
>     priority => '991',
>   } 
>   package { ['di-netboot-assistant', 'syslinux']:
>     ensure  => installed,
>     require => Apt::Preferences_snippet['di-netboot-assistant'],
>   }
>

> if $di_netboot_assistant_pinning_ensure is absent, won’t we have a missing dependency for the packages as the apt::preferences_snippet resource won’t be installed?

Either I’m misunderstanding what you mean with “missing dependency”, or you’re confused wrt. how Puppet resources work, or I am myself :)

In my book, Apt::Preferences_snippet['di-netboot-assistant'] will be applied regardless of its ensure parameter: if that parameter is ‘present’, then the resource will ensure that the APT preferences snippet is there; else, it will ensure it’s not there. In both cases, require => Apt::Preferences_snippet['di-netboot-assistant'] ensures that package { ['di-netboot-assistant', 'syslinux'] is applied only after Apt::Preferences_snippet['di-netboot-assistant'] is itself applied.

#13 Updated by bertagaz 2016-11-17 17:37:35

Target version changed from Tails_2.7 to Tails_2.9.1

#14 Updated by anonym 2016-12-14 20:11:21

Target version changed from Tails_2.9.1 to Tails 2.10

#15 Updated by anonym 2017-01-24 20:48:48

Target version changed from Tails 2.10 to Tails_2.11

#16 Updated by bertagaz 2017-02-04 17:11:07

Status changed from In Progress to Resolved
Assignee deleted (~~bertagaz~~)
% Done changed from 50 to 100
QA Check deleted (~~Ready for QA~~)

intrigeri wrote:
> Either I’m misunderstanding what you mean with “missing dependency”, or you’re confused wrt. how Puppet resources work, or I am myself :)
>
> In my book, Apt::Preferences_snippet['di-netboot-assistant'] will be applied regardless of its ensure parameter: if that parameter is ‘present’, then the resource will ensure that the APT preferences snippet is there; else, it will ensure it’s not there. In both cases, require => Apt::Preferences_snippet['di-netboot-assistant'] ensures that package { ['di-netboot-assistant', 'syslinux'] is applied only after Apt::Preferences_snippet['di-netboot-assistant'] is itself applied.

Right, I must have been confused when writing this, don’t know where it comes from.

Anyway, I’ve looked again as I needed to re-install isobuilder1 and wanted the Stretch installer. So I added this codename support to the libvirt module in passing, and it works well (except a Stretch installer/Debian archive kernel mismatch). So I guess it means this ticket is good to close! Sorry for the delay.

#17 Updated by intrigeri 2017-02-05 09:50:28

Thank you!