2016-04-04 16:48:50 |
Dimitri John Ledkov |
bug |
|
|
added bug |
2016-04-04 16:49:01 |
Dimitri John Ledkov |
information type |
Public |
Private Security |
|
2016-04-04 16:49:21 |
Dimitri John Ledkov |
summary |
foo |
/install/filesystem.squashfs should be signed |
|
2016-04-04 16:55:59 |
Dimitri John Ledkov |
description |
foo |
Prior to xenial, /install/filesystem.squashfs would only be used from a locally booted and mounted media. In xenial, the live-installer package was extended to automatically search a mirror, download remotely and use filesystem.squashfs. Before xenial, such actions were only performed upon explicit user request and from user supplied url. Given that this is now done automatically, it is prudent to gpg sign and validate such downloads prior to them being used. Otherwise an avenue is opened for a "rogue" mirror to have a valid verbantim mirror of the apt archive, yet a modified filesystem.squashfs which unmodified verified d-i could be blindly using.
Ideally live-installer would simply use secure apt download facility of arbitrary files with gpg signature verification, but I doubt that anna currently supports that. |
|
2016-04-04 16:56:08 |
Dimitri John Ledkov |
bug task added |
|
live-installer (Ubuntu) |
|
2016-04-04 16:56:28 |
Dimitri John Ledkov |
ubuntu-cdimage: assignee |
|
Dimitri John Ledkov (xnox) |
|
2016-04-04 16:56:30 |
Dimitri John Ledkov |
live-installer (Ubuntu): assignee |
|
Dimitri John Ledkov (xnox) |
|
2016-04-06 20:00:22 |
Dimitri John Ledkov |
attachment added |
|
ubuntu-cdimage.bundle https://bugs.launchpad.net/ubuntu-cdimage/+bug/1565889/+attachment/4626517/+files/ubuntu-cdimage.bundle |
|
2016-04-06 20:05:03 |
Dimitri John Ledkov |
attachment removed |
ubuntu-cdimage.bundle https://bugs.launchpad.net/ubuntu-cdimage/+bug/1565889/+attachment/4626517/+files/ubuntu-cdimage.bundle |
|
|
2016-04-06 20:05:18 |
Dimitri John Ledkov |
attachment added |
|
ubuntu-cdimage.bundle https://bugs.launchpad.net/ubuntu-cdimage/+bug/1565889/+attachment/4626518/+files/ubuntu-cdimage.bundle |
|
2016-04-06 20:15:52 |
Dimitri John Ledkov |
attachment added |
|
debian-cd.bundle https://bugs.launchpad.net/ubuntu-cdimage/+bug/1565889/+attachment/4626528/+files/debian-cd.bundle |
|
2016-04-06 20:17:20 |
Dimitri John Ledkov |
bug |
|
|
added subscriber Steve Langasek |
2016-04-06 20:22:56 |
Dimitri John Ledkov |
bug task added |
|
debian-cd (Ubuntu) |
|
2016-04-06 21:07:52 |
Dimitri John Ledkov |
attachment added |
|
live-installer.debdiff https://bugs.launchpad.net/ubuntu/+source/debian-cd/+bug/1565889/+attachment/4626630/+files/live-installer.debdiff |
|
2016-04-06 21:07:59 |
Dimitri John Ledkov |
debian-cd (Ubuntu): assignee |
|
Dimitri John Ledkov (xnox) |
|
2016-04-07 22:49:12 |
Dimitri John Ledkov |
tags |
|
s390x |
|
2016-04-18 05:02:44 |
Steve Langasek |
debian-cd (Ubuntu): status |
New |
Invalid |
|
2016-04-18 05:03:47 |
Steve Langasek |
ubuntu-cdimage: status |
New |
Fix Released |
|
2016-04-18 07:33:31 |
Dimitri John Ledkov |
bug |
|
|
added subscriber Adam Conrad |
2016-04-18 11:57:24 |
Dimitri John Ledkov |
information type |
Private Security |
Public Security |
|
2016-04-18 11:57:35 |
Dimitri John Ledkov |
live-installer (Ubuntu): status |
New |
Fix Committed |
|
2016-04-18 12:32:01 |
Ubuntu Foundations Team Bug Bot |
tags |
s390x |
patch s390x |
|
2016-04-18 13:42:14 |
Launchpad Janitor |
live-installer (Ubuntu): status |
Fix Committed |
Fix Released |
|