[elbe-devel] [PATCH 1/1] Implement noauth for a single package repo as attribute to <url>

Torben Hohn torben.hohn at linutronix.de
Thu Aug 22 08:42:32 CEST 2019 

On Wed, Aug 21, 2019 at 10:36:13AM +0200, bage at linutronix.de wrote:
> From: Johann Neuhauser <jneuhauser at dh-electronics.com>
> 
> The element <noauth> is global for all package repos.
> This does decrease security if there are signed repos and for
> example only one repo url requires this mechanism.
> 
> https://github.com/Linutronix/elbe/issues/220


its already possible to specify [trusted=yes] in the url like this:


<url>
	<binary>[trusted=yes] http://security.debian.org stretch/updates main</binary>
</url>

however, this does not play well together with <noauth>,
because it would generate 

deb [trusted=yes] [trusted=yes] http://security.debian.org stretch/updates main

but this patch at hand would generate the same.

So, i dont see an approvement here, and will not merge this.

we need to add proper parsing of the [ ] component of an url, so we can
add trusted=yes into the [ ], which would also make [arch=amd64] and
all the other possible flags play well with <noauth>.

> 
> Signed-off-by: Johann Neuhauser <jneuhauser at dh-electronics.com>
> Acked-by: Bastian Germann <bage at linutronix.de>
> ---
>  elbepack/elbexml.py  | 7 +++++--
>  elbepack/pbuilder.py | 7 +++++--
>  elbepack/pkgutils.py | 7 +++++--
>  elbepack/rfs.py      | 8 +-------
>  elbepack/virtapt.py  | 8 +-------
>  schema/dbsfed.xsd    | 7 +++++++
>  6 files changed, 24 insertions(+), 20 deletions(-)
> 
> diff --git a/elbepack/elbexml.py b/elbepack/elbexml.py
> index 5972600c..44f5258e 100644
> --- a/elbepack/elbexml.py
> +++ b/elbepack/elbexml.py
> @@ -163,11 +163,14 @@ class ElbeXML(object):
>  
>              if self.prj.has("mirror/url-list"):
>                  for url in self.prj.node("mirror/url-list"):
> +                    noauth_url = ""
> +                    if url.bool_attr("noauth") and noauth is "":
> +                        noauth_url = "[trusted=yes] "
>                      if url.has("binary"):
> -                        mirror += "deb " + noauth + \
> +                        mirror += "deb " + noauth + noauth_url + \
>                                     url.text("binary").strip() + "\n"
>                      if url.has("source"):
> -                        mirror += "deb-src " + noauth + \
> +                        mirror += "deb-src " + noauth + noauth_url + \
>                              url.text("source").strip() + "\n"
>  
>          if self.prj.has("mirror/cdrom"):
> diff --git a/elbepack/pbuilder.py b/elbepack/pbuilder.py
> index 6bc2945f..a79839d1 100644
> --- a/elbepack/pbuilder.py
> +++ b/elbepack/pbuilder.py
> @@ -137,11 +137,14 @@ def pbuilder_write_repo_hook(builddir, xml):
>              if xml.prj.has("noauth"):
>                  noauth = "[trusted=yes] "
>              for url in xml.prj.node("mirror/url-list"):
> +                noauth_url = ""
> +                if url.bool_attr("noauth") and noauth is "":
> +                    noauth_url = "[trusted=yes] "
>                  if url.has("binary"):
> -                    mirror += 'echo "deb ' + noauth + \
> +                    mirror += 'echo "deb ' + noauth + noauth_url + \
>                                url.text("binary").strip() + \
>                                '" >> /etc/apt/sources.list\n'
> -                if url.has("raw-key") and not xml.prj.has("noauth"):
> +                if url.has("raw-key") and not xml.prj.has("noauth") and not url.bool_attr("noauth"):
>                      key = "\n".join(line.strip(" \t") for line in url.text('raw-key').splitlines()[1:-1])
>                      mirror = mirror_script_add_key_text(mirror, key)
>  
> diff --git a/elbepack/pkgutils.py b/elbepack/pkgutils.py
> index 595ecc31..0e10372e 100644
> --- a/elbepack/pkgutils.py
> +++ b/elbepack/pkgutils.py
> @@ -35,12 +35,15 @@ def get_sources_list(prj):
>  
>      if prj.node("mirror/url-list"):
>          for n in prj.node("mirror/url-list"):
> +            noauth_url = ""
> +            if n.bool_attr("noauth"):
> +                noauth_url = "[trusted=yes] "
>              if n.has("binary"):
>                  tmp = n.text("binary").replace("LOCALMACHINE", "10.0.2.2")
> -                slist += "deb %s\n" % tmp.strip()
> +                slist += "deb %s\n" % noauth_url + tmp.strip()
>              if n.has("source"):
>                  tmp = n.text("source").replace("LOCALMACHINE", "10.0.2.2")
> -                slist += "deb-src %s\n" % tmp.strip()
> +                slist += "deb-src %s\n" % noauth_url + tmp.strip()
>  
>      return slist
>  
> diff --git a/elbepack/rfs.py b/elbepack/rfs.py
> index e12051e0..a514d105 100644
> --- a/elbepack/rfs.py
> +++ b/elbepack/rfs.py
> @@ -283,14 +283,8 @@ class BuildEnv (object):
>  
>      def import_keys(self):
>          if self.xml.has('project/mirror/url-list'):
> -            # Should we use self.xml.prj.has("noauth")???
> -            #
> -            # If so, this is related to issue #220 -
> -            # https://github.com/Linutronix/elbe/issues/220
> -            #
> -            # I could make a none global 'noauth' flag for mirrors
>              for url in self.xml.node('project/mirror/url-list'):
> -                if url.has('raw-key'):
> +                if url.has('raw-key') and not url.bool_attr("noauth"):
>                      key = "\n".join(line.strip(" \t") for line in url.text('raw-key').splitlines()[1:-1])
>                      self.add_key(key)
>  
> diff --git a/elbepack/virtapt.py b/elbepack/virtapt.py
> index f74facd0..f20faf37 100644
> --- a/elbepack/virtapt.py
> +++ b/elbepack/virtapt.py
> @@ -161,14 +161,8 @@ class VirtApt(object):
>  
>      def import_keys(self):
>          if self.xml.has('project/mirror/url-list'):
> -            # Should we use self.xml.prj.has("noauth")???
> -            #
> -            # If so, this is related to issue #220 -
> -            # https://github.com/Linutronix/elbe/issues/220
> -            #
> -            # I could make a none global 'noauth' flag for mirrors
>              for url in self.xml.node('project/mirror/url-list'):
> -                if url.has('raw-key'):
> +                if url.has('raw-key') and not url.bool_attr("noauth"):
>                      key = "\n".join(line.strip(" \t") for line in url.text('raw-key').splitlines()[1:-1])
>                      self.add_key(key)
>  
> diff --git a/schema/dbsfed.xsd b/schema/dbsfed.xsd
> index c321090b..7c31cc48 100644
> --- a/schema/dbsfed.xsd
> +++ b/schema/dbsfed.xsd
> @@ -200,6 +200,13 @@
>        </element>
>      </all>
>      <attribute ref="xml:base"/>
> +    <attribute name="noauth" type="boolean" use="optional">
> +      <annotation>
> +        <documentation>
> +          Allow installation of unsigned debian packages from this repo url(s).
> +        </documentation>
> +      </annotation>
> +    </attribute>
>    </complexType>
>  
>    <complexType name="url-list">
> -- 
> 2.20.1
> 
> 
> _______________________________________________
> elbe-devel mailing list
> elbe-devel at linutronix.de
> https://lists.linutronix.de/mailman/listinfo/elbe-devel

-- 
Torben Hohn
Linutronix GmbH | Bahnhofstrasse 3 | D-88690 Uhldingen-Mühlhofen
Phone: +49 7556 25 999 18; Fax.: +49 7556 25 999 99

Hinweise zum Datenschutz finden Sie hier (Informations on data privacy 
can be found here): https://linutronix.de/kontakt/Datenschutz.php

Linutronix GmbH | Firmensitz (Registered Office): Uhldingen-Mühlhofen | 
Registergericht (Registration Court): Amtsgericht Freiburg i.Br., HRB700 
806 | Geschäftsführer (Managing Directors): Heinz Egger, Thomas Gleixner

More information about the elbe-devel mailing list