Bug #10092
Use di-netboot-assistant in a safer way
100%
Description
As discussed on Feature #8507, our current usage is not super safe. With di-netboot-assistant 0.39 we could do better, as its changelog reads:
* Implement the inclusion of debian-installer packages. Add
instructions to the README and a warning when installing insecurely.
Let’s try that!
Subtasks
Related issues
Related to Tails - |
Resolved | 2015-01-01 |
History
#1 Updated by intrigeri 2015-08-25 01:45:06
- related to
Feature #8507: Evaluate how safe our usage of di-netboot-assistant is added
#2 Updated by intrigeri 2015-10-05 13:17:47
- Target version changed from Tails_1.7 to 2016
#3 Updated by intrigeri 2016-08-27 09:56:48
- Target version deleted (
2016)
#4 Updated by intrigeri 2016-10-29 07:35:21
- Description updated
#5 Updated by intrigeri 2016-10-29 10:26:52
- Status changed from Confirmed to In Progress
- Assignee changed from intrigeri to bertagaz
- Target version set to Tails_2.7
- % Done changed from 0 to 50
- QA Check set to Ready for QA
- Deliverable for set to 270
Done (mostly in puppet-libvirt), applied.
#7 Updated by bertagaz 2016-11-07 17:31:20
- Deliverable for changed from 270 to SponsorS_Internal
#11 Updated by bertagaz 2016-11-09 11:15:33
- Assignee changed from bertagaz to intrigeri
- QA Check changed from Ready for QA to Info Needed
Had a look and I like it, except I have one question:
Line 12-20 in puppet-libvirt:manifests/host/di_netboot_assistant.pp
:
apt::preferences_snippet { 'di-netboot-assistant':
ensure => $di_netboot_assistant_pinning_ensure,
pin => 'release o=Debian,n=stretch',
priority => '991',
}
package { ['di-netboot-assistant', 'syslinux']:
ensure => installed,
require => Apt::Preferences_snippet['di-netboot-assistant'],
}
if $di_netboot_assistant_pinning_ensure
is absent, won’t we have a missing dependency for the packages as the apt::preferences_snippet resource won’t be installed?
#12 Updated by intrigeri 2016-11-09 17:28:29
- Assignee changed from intrigeri to bertagaz
- QA Check changed from Info Needed to Ready for QA
> Had a look and I like it,
:)
> except I have one question:
> Line 12-20 in puppet-libvirt:manifests/host/di_netboot_assistant.pp
:
>
> apt::preferences_snippet { 'di-netboot-assistant':
> ensure => $di_netboot_assistant_pinning_ensure,
> pin => 'release o=Debian,n=stretch',
> priority => '991',
> }
> package { ['di-netboot-assistant', 'syslinux']:
> ensure => installed,
> require => Apt::Preferences_snippet['di-netboot-assistant'],
> }
>
> if $di_netboot_assistant_pinning_ensure
is absent, won’t we have a missing dependency for the packages as the apt::preferences_snippet resource won’t be installed?
Either I’m misunderstanding what you mean with “missing dependency”, or you’re confused wrt. how Puppet resources work, or I am myself :)
In my book, Apt::Preferences_snippet['di-netboot-assistant']
will be applied regardless of its ensure
parameter: if that parameter is ‘present’, then the resource will ensure that the APT preferences snippet is there; else, it will ensure it’s not there. In both cases, require => Apt::Preferences_snippet['di-netboot-assistant']
ensures that package { ['di-netboot-assistant', 'syslinux']
is applied only after Apt::Preferences_snippet['di-netboot-assistant']
is itself applied.
#13 Updated by bertagaz 2016-11-17 17:37:35
- Target version changed from Tails_2.7 to Tails_2.9.1
#14 Updated by anonym 2016-12-14 20:11:21
- Target version changed from Tails_2.9.1 to Tails 2.10
#15 Updated by anonym 2017-01-24 20:48:48
- Target version changed from Tails 2.10 to Tails_2.11
#16 Updated by bertagaz 2017-02-04 17:11:07
- Status changed from In Progress to Resolved
- Assignee deleted (
bertagaz) - % Done changed from 50 to 100
- QA Check deleted (
Ready for QA)
intrigeri wrote:
> Either I’m misunderstanding what you mean with “missing dependency”, or you’re confused wrt. how Puppet resources work, or I am myself :)
>
> In my book, Apt::Preferences_snippet['di-netboot-assistant']
will be applied regardless of its ensure
parameter: if that parameter is ‘present’, then the resource will ensure that the APT preferences snippet is there; else, it will ensure it’s not there. In both cases, require => Apt::Preferences_snippet['di-netboot-assistant']
ensures that package { ['di-netboot-assistant', 'syslinux']
is applied only after Apt::Preferences_snippet['di-netboot-assistant']
is itself applied.
Right, I must have been confused when writing this, don’t know where it comes from.
Anyway, I’ve looked again as I needed to re-install isobuilder1 and wanted the Stretch installer. So I added this codename support to the libvirt module in passing, and it works well (except a Stretch installer/Debian archive kernel mismatch). So I guess it means this ticket is good to close! Sorry for the delay.
#17 Updated by intrigeri 2017-02-05 09:50:28
Thank you!