[elbe-devel] [PATCH 1/1] Implement noauth for a single package repo as attribute to <url>

bage at linutronix.de bage at linutronix.de
Wed Aug 21 10:36:13 CEST 2019 

From: Johann Neuhauser <jneuhauser at dh-electronics.com>

The element <noauth> is global for all package repos.
This does decrease security if there are signed repos and for
example only one repo url requires this mechanism.

https://github.com/Linutronix/elbe/issues/220

Signed-off-by: Johann Neuhauser <jneuhauser at dh-electronics.com>
Acked-by: Bastian Germann <bage at linutronix.de>
---
 elbepack/elbexml.py  | 7 +++++--
 elbepack/pbuilder.py | 7 +++++--
 elbepack/pkgutils.py | 7 +++++--
 elbepack/rfs.py      | 8 +-------
 elbepack/virtapt.py  | 8 +-------
 schema/dbsfed.xsd    | 7 +++++++
 6 files changed, 24 insertions(+), 20 deletions(-)

diff --git a/elbepack/elbexml.py b/elbepack/elbexml.py
index 5972600c..44f5258e 100644
--- a/elbepack/elbexml.py
+++ b/elbepack/elbexml.py
@@ -163,11 +163,14 @@ class ElbeXML(object):
 
             if self.prj.has("mirror/url-list"):
                 for url in self.prj.node("mirror/url-list"):
+                    noauth_url = ""
+                    if url.bool_attr("noauth") and noauth is "":
+                        noauth_url = "[trusted=yes] "
                     if url.has("binary"):
-                        mirror += "deb " + noauth + \
+                        mirror += "deb " + noauth + noauth_url + \
                                    url.text("binary").strip() + "\n"
                     if url.has("source"):
-                        mirror += "deb-src " + noauth + \
+                        mirror += "deb-src " + noauth + noauth_url + \
                             url.text("source").strip() + "\n"
 
         if self.prj.has("mirror/cdrom"):
diff --git a/elbepack/pbuilder.py b/elbepack/pbuilder.py
index 6bc2945f..a79839d1 100644
--- a/elbepack/pbuilder.py
+++ b/elbepack/pbuilder.py
@@ -137,11 +137,14 @@ def pbuilder_write_repo_hook(builddir, xml):
             if xml.prj.has("noauth"):
                 noauth = "[trusted=yes] "
             for url in xml.prj.node("mirror/url-list"):
+                noauth_url = ""
+                if url.bool_attr("noauth") and noauth is "":
+                    noauth_url = "[trusted=yes] "
                 if url.has("binary"):
-                    mirror += 'echo "deb ' + noauth + \
+                    mirror += 'echo "deb ' + noauth + noauth_url + \
                               url.text("binary").strip() + \
                               '" >> /etc/apt/sources.list\n'
-                if url.has("raw-key") and not xml.prj.has("noauth"):
+                if url.has("raw-key") and not xml.prj.has("noauth") and not url.bool_attr("noauth"):
                     key = "\n".join(line.strip(" \t") for line in url.text('raw-key').splitlines()[1:-1])
                     mirror = mirror_script_add_key_text(mirror, key)
 
diff --git a/elbepack/pkgutils.py b/elbepack/pkgutils.py
index 595ecc31..0e10372e 100644
--- a/elbepack/pkgutils.py
+++ b/elbepack/pkgutils.py
@@ -35,12 +35,15 @@ def get_sources_list(prj):
 
     if prj.node("mirror/url-list"):
         for n in prj.node("mirror/url-list"):
+            noauth_url = ""
+            if n.bool_attr("noauth"):
+                noauth_url = "[trusted=yes] "
             if n.has("binary"):
                 tmp = n.text("binary").replace("LOCALMACHINE", "10.0.2.2")
-                slist += "deb %s\n" % tmp.strip()
+                slist += "deb %s\n" % noauth_url + tmp.strip()
             if n.has("source"):
                 tmp = n.text("source").replace("LOCALMACHINE", "10.0.2.2")
-                slist += "deb-src %s\n" % tmp.strip()
+                slist += "deb-src %s\n" % noauth_url + tmp.strip()
 
     return slist
 
diff --git a/elbepack/rfs.py b/elbepack/rfs.py
index e12051e0..a514d105 100644
--- a/elbepack/rfs.py
+++ b/elbepack/rfs.py
@@ -283,14 +283,8 @@ class BuildEnv (object):
 
     def import_keys(self):
         if self.xml.has('project/mirror/url-list'):
-            # Should we use self.xml.prj.has("noauth")???
-            #
-            # If so, this is related to issue #220 -
-            # https://github.com/Linutronix/elbe/issues/220
-            #
-            # I could make a none global 'noauth' flag for mirrors
             for url in self.xml.node('project/mirror/url-list'):
-                if url.has('raw-key'):
+                if url.has('raw-key') and not url.bool_attr("noauth"):
                     key = "\n".join(line.strip(" \t") for line in url.text('raw-key').splitlines()[1:-1])
                     self.add_key(key)
 
diff --git a/elbepack/virtapt.py b/elbepack/virtapt.py
index f74facd0..f20faf37 100644
--- a/elbepack/virtapt.py
+++ b/elbepack/virtapt.py
@@ -161,14 +161,8 @@ class VirtApt(object):
 
     def import_keys(self):
         if self.xml.has('project/mirror/url-list'):
-            # Should we use self.xml.prj.has("noauth")???
-            #
-            # If so, this is related to issue #220 -
-            # https://github.com/Linutronix/elbe/issues/220
-            #
-            # I could make a none global 'noauth' flag for mirrors
             for url in self.xml.node('project/mirror/url-list'):
-                if url.has('raw-key'):
+                if url.has('raw-key') and not url.bool_attr("noauth"):
                     key = "\n".join(line.strip(" \t") for line in url.text('raw-key').splitlines()[1:-1])
                     self.add_key(key)
 
diff --git a/schema/dbsfed.xsd b/schema/dbsfed.xsd
index c321090b..7c31cc48 100644
--- a/schema/dbsfed.xsd
+++ b/schema/dbsfed.xsd
@@ -200,6 +200,13 @@
       </element>
     </all>
     <attribute ref="xml:base"/>
+    <attribute name="noauth" type="boolean" use="optional">
+      <annotation>
+        <documentation>
+          Allow installation of unsigned debian packages from this repo url(s).
+        </documentation>
+      </annotation>
+    </attribute>
   </complexType>
 
   <complexType name="url-list">
-- 
2.20.1

More information about the elbe-devel mailing list