From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6540161972509343744
X-Received: by 10.80.165.8 with SMTP id y8mr114511edb.11.1522874083374;
        Wed, 04 Apr 2018 13:34:43 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 10.80.194.145 with SMTP id o17ls1843924edf.6.gmail; Wed, 04 Apr
 2018 13:34:42 -0700 (PDT)
X-Google-Smtp-Source: AIpwx48TxPjQgCZR3OVdr6mcdHlerrxe4WHhoyKASWilfEu468GAHBl0FnPpH35uqzNfb5L9X5su
X-Received: by 10.80.230.15 with SMTP id y15mr130134edm.0.1522874082738;
        Wed, 04 Apr 2018 13:34:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522874082; cv=none;
        d=google.com; s=arc-20160816;
        b=Vzuq38mcUP5vTr937nRRo4ZbImts6D+xssCNjz1JpHb6+yYEZdpwpO1uGaNPJYtwrM
         YFFEFAxxRWMzIzppEIWY7z5DZWeaDMPUaRqevRr/fYUnJrGOdDvkXuCDs/rVqIvSy0JK
         owqoITOIdB4EydVC7Bv0W9xugk6w1YAh7NwJ4hDTfy5Hya2b1YZreRFhXfkFW5YiFo2C
         ZFG065wxmMd3gotatDX4NhZiL/9eIXlReSDq9ieFVqfDcwUmjb5YlCLwnl+Yltbl97Ug
         ignypS0HExMoUWd8ZF8qKx2CspM6eEmGIwlFPIU+1Y7ZcTkQC2PUfVKugsCmcNynd5ZD
         wgNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version:references
         :mail-followup-to:message-id:subject:to:from:date
         :arc-authentication-results;
        bh=QQE9LgYHgffiFYllKVdwpPw2PFPcznJqgev0MnrGyis=;
        b=sB/5tCDeSfvQCJfSgDcgEaYq4PM626QN1W224QsvD4N5iGQ3N8UaNpH036tVBtJtlo
         HjpDt7eYOO510Q4d4LHz7jF0K5gwYLQz2MqTbWuPL4d+xxT40jTudcRlZob4wB5Oy46I
         eZvYA5SqsTxKHw6RubB9yirI5NmMsyJqIe6aOOWsTbPLtrYyvHOv1sKHXVH37HeT5g7M
         YfuescURqNWPqaaE5lQUyKEX+BQAlvjsJRJD/zduo6l+PLro5BAGAPWXQz8RE0S5g04l
         +HIO6E958aL6nZkB+uZxJk6biZ+XzEySc5+nEuFWRhf6LQKZnKjw6Skx5Txs2n6LiTsY
         S/Hg==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=neutral (google.com: 85.214.62.211 is neither permitted nor denied by best guess record for domain of ibr@radix50.net) smtp.mailfrom=ibr@radix50.net
Return-Path: <ibr@radix50.net>
Received: from aqmola.ilbers.de (aqmola.ilbers.de. [85.214.62.211])
        by gmr-mx.google.com with ESMTPS id t12si184388edi.0.2018.04.04.13.34.42
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 04 Apr 2018 13:34:42 -0700 (PDT)
Received-SPF: neutral (google.com: 85.214.62.211 is neither permitted nor denied by best guess record for domain of ibr@radix50.net) client-ip=85.214.62.211;
Authentication-Results: gmr-mx.google.com;
       spf=neutral (google.com: 85.214.62.211 is neither permitted nor denied by best guess record for domain of ibr@radix50.net) smtp.mailfrom=ibr@radix50.net
Received: from yssyq.radix50.net (dslb-088-072-225-022.088.072.pools.vodafone-ip.de [88.72.225.22])
	(authenticated bits=0)
	by aqmola.ilbers.de (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id w34KYeFW011695
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <isar-users@googlegroups.com>; Wed, 4 Apr 2018 22:34:41 +0200
Received: from yssyq.radix50.net (localhost [127.0.0.1])
	by yssyq.radix50.net (8.14.4/8.14.4/Debian-8) with ESMTP id w34KYZal024712
	(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <isar-users@googlegroups.com>; Wed, 4 Apr 2018 22:34:35 +0200
Received: (from ibr@localhost)
	by yssyq.radix50.net (8.14.4/8.14.4/Submit) id w34KYY5M024711
	for isar-users@googlegroups.com; Wed, 4 Apr 2018 22:34:34 +0200
Date: Wed, 4 Apr 2018 22:34:34 +0200
From: Baurzhan Ismagulov <ibr@radix50.net>
To: isar-users@googlegroups.com
Subject: Re: [PATCH v5 0/5] Debootstrap integration
Message-ID: <20180404203434.GC3164@yssyq.radix50.net>
Mail-Followup-To: isar-users@googlegroups.com
References: <20180403100802.30710-1-claudius.heine.ext@siemens.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180403100802.30710-1-claudius.heine.ext@siemens.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-TUID: m0ZLu8kEEXmz

On Tue, Apr 03, 2018 at 12:07:57PM +0200, claudius.heine.ext@siemens.com wrote:
> this is the new version of this patchset, that fixes the
> generate_keyring task in isar-bootstrap for systems with read-only
> homedir.

Thanks, worked fine on my host. CI still in progress.


It's unfortunate that the series introduces regressions you wrote about
(changing mirrors, setting hostname). It's always better to fix the issues on
the spot. If there are no objections, I'd like to add TODOs to the patches.
Please let me know whether it's ok, or you would like to address those before
the merge.

What I'd really like to see is an update to doc/user_manual.md. Would you have
time for that in the next days?


If I understand the code correctly, there is also a security issue:

On Tue, Apr 03, 2018 at 12:08:00PM +0200, claudius.heine.ext@siemens.com wrote:
> +    CDIRS="${@d.expand(d.getVarFlags("do_build").get("root_cleandirs", ""))}"
> +    if [ -n "$CDIRS" ]; then
> +        sudo rm -rf $CDIRS
> +        mkdir -p $CDIRS
> +    fi

Should root_cleandirs items be checked for directory traversal ("/", "..") and
mounted filesystems in the subdirectories? If yes, do we want to drop the
feature from this series and address the issue in a separate step?


With kind regards,
Baurzhan.