launchpad-reviewers team mailing list archive

Thread
Date

[Bug 1039513] Re: maas-import-pxe-files doesn't cryptographically verify what it downloads

To: launchpad-reviewers@xxxxxxxxxxxxxxxxxxx
From: Julian Edwards <1039513@xxxxxxxxxxxxxxxxxx>
Date: Wed, 22 Aug 2012 03:34:10 -0000
Reply-to: Bug 1039513 <1039513@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Summary changed:

- maas-import-pxe-files should cryptographically verify what it downloads
+ maas-import-pxe-files doesn't cryptographically verify what it downloads

** Changed in: maas
       Status: New => Triaged

** Changed in: maas
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of MAAS
Maintainers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1039513

Title:
  maas-import-pxe-files doesn't cryptographically verify what it
  downloads

Status in MAAS:
  Triaged

Bug description:
  Currently, maas-import-pxe-files uses HTTP to download its files,
  including pxelinux.0 and netboot kernel image and initrd. In theory,
  somebody could intercept this and inject a malicious payload.

  maas-import-ephemerals avoids this by using HTTPS, but:
    1) This prevents (easy) caching
    2) archive.ubuntu.com doesn't appear to support HTTPS
    3) The files we need are indirectly signed, so if we just try to verify what is there we'll end up with the same race condition that apt faces in bug 972077

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1039513/+subscriptions

References

[Bug 1039513] [NEW] maas-import-pxe-files should cryptographically verify what it downloads
From: Robie Basak, 2012-08-21