Techy stuff for developers

johnraff · 2023-04-04 03:06:23

A newly added Debian Wiki page:

DebianInstallerCreateUSBMedia
Preparing a USB Memory Stick to boot the Installer
https://wiki.debian.org/DebianInstaller/CreateUSBMedia

Various advanced options.

johnraff · 2023-11-17 01:23:08

Dpkg FAQ

Yeah this is pretty Deep Debian, but someone sometime might want to check it out:
https://wiki.debian.org/Teams/Dpkg/FAQ

EDIT: but be very careful about merged-usr:
https://wiki.debian.org/Teams/Dpkg/FAQ# … ed-dirs.3F
The dpkg developer does not agree with current Debian policy!

Last edited by johnraff (2023-11-17 01:29:11)

johnraff · 2024-01-30 05:23:54

The latest example debian installer preseed file for Bookworm:

https://www.debian.org/releases/bookwor … reseed.txt

hhh · 2024-01-30 07:55:33

^ Wow, things have changed. When I did the original BunsenLabs live-builds (hydrogen/jessie), the preseed was maybe 60 lines? Now it's almost 500. Looks like they've added a lot of helpful comments in addition to adding many possible options. Rock on, Debian!

johnraff · 2024-01-30 08:15:04

This one too:
https://preseed.debian.net/debian-prese … n-full.txt
From: https://preseed.debian.net/debian-preseed/

hhh · 2024-01-30 08:18:45

^ OK, now you're just messing with me. Good night.

lmfao, I'm in tears.

sleekmason · 2024-01-30 17:35:49

@johnraff wrote:

The latest example debian installer preseed file for Bookworm:
https://www.debian.org/releases/bookwor … reseed.txt

Nice! Thanks for posting this!

The full list is also just a massive set of options. Good stuff.

johnraff · 2024-11-19 06:15:33

Good reference also for people writing shell scripts:
GNU Coding Standards

https://www.gnu.org/prep/standards/standards.html

johnraff · 2025-01-16 04:59:44

Vulnerability in live-build
"live-build should authenticate files it downloads"
https://bugs.debian.org/cgi-bin/bugrepo … 718225#115

If you're using live-build, I'd highly recommend setting the various
`--mirror` and `--parent-mirror` settings in your `lb config` commands
explicitly, specifying HTTPS repos for each of those settings. It's not
a perfect solution, but as long as no one has compromised HTTPS, it
should be sufficient to plug this hole.

Head_on_a_Stick · 2025-01-16 11:11:02

The --parent-mirror-* options take their defaults from the matching mirror-* setting.

So I think we would need this in auto/config:

   --mirror-binary 'https://deb.debian.org/debian'
   --mirror-binary-security 'https://deb.debian.org/debian-security'
   --mirror-bootstrap 'https://deb.debian.org/debian'
   --mirror-chroot-security 'https://deb.debian.org/debian-security'

All the other values should derive correctly from those settings, I think.

It is a pretty mild local vulnerability though:

PoC wrote:

A malicious third party positioned in the network between the victim's mirror and the victim themselves can MITM the connection, and then provide a malicious kernel or initramfs. live-build will integrate these malicious files into the built ISO.

https://gist.github.com/ArrayBolt3/99d1 … 43eaf85520

Is this really something to be worried about?

johnraff · 2025-01-17 02:47:52

It's been on the Bug Tracking System for years, so maybe not such a big deal. Someone has just picked it up again. Although "a malicious kernel or initramfs" sounds like something not to put in an iso.

Setting those mirror urls to https* looks like a good start anyway, and very easy to do.

Some day it would be nice if live-build would actually verify the downloaded files against the checksums Debian provide, just as is done when apt downloads packages from a repository.

Head_on_a_Stick · 2025-01-29 19:40:38

Is there any interest in adding spice-vdagent to the package list for BunsenLabs?

It makes the OS a better behaved guest for spice-based virtual machines, such as gnome-boxes & virt-manager, with no added overhead for bare metal installs.

johnraff · 2025-01-30 00:00:14

^I always add it to my VMs because it makes several things work better, but there are possible security issues. I'm not sure if it should be there by default. I notice the Debian installer auto-detects if you're installing to a VM and adds qemu-guest-agent but not spice-vdagent.

Another thing is that RedHat seem to be about to pull the plug on Spice anyway, so spice-vdagent's days might be numbered, even on Debian. Not good, because there seems to be no replacement atm.

Head_on_a_Stick · 2025-01-30 07:44:52

SPICE is supported for RHEL 8 so that means it has maintenance support until 2029-05-31. EDIT: and Debian will support it unitl trixie EOL if it makes the release.

The spice-vdagent daemon only runs if /dev/virtio-ports is present so it will have no effect on a bare metal system beyond the ~200KiB of disk space.

Last edited by Head_on_a_Stick (2025-01-30 07:45:56)

johnraff · 2025-01-31 09:03:00

Head_on_a_Stick wrote:

SPICE is supported for RHEL 8 so that means it has maintenance support until 2029-05-31. EDIT: and Debian will support it unitl trixie EOL if it makes the release.

Well, yes if it gets into Trixie then of course it would be extremely unusual to be dropped before EOL.

The spice-vdagent daemon only runs if /dev/virtio-ports is present so it will have no effect on a bare metal system beyond the ~200KiB of disk space.

But the main reason I'd be reluctant to put it in by default is the security issues for VMs. I don't think users should have that dropped on them without warning.

eg (first thing that came up):
https://www.openwall.com/lists/oss-secu … 20/11/04/1

`spice-vdagentd` is running as *root* as a socket activated systemd service.

Anyway, it's helping to break down the VM's isolation from the outside world, which not everybody might want.
My VM's are just for testing so it's less important.

johnraff · 2025-02-01 05:56:13

I was briefly wondering if we could tweak the Debian-Installer to offer an install of spice-vdagent along with qemu-guest-agent if it detected being run in a VM... then remembered bl-welcome.

It should be quite easy to add that offer to the welcome script if a VM is detected (along with a mention of possible security issues). I think that would be a good solution, no?

johnraff · 2025-02-01 08:52:40

Reference:
https://salsa.debian.org/installer-team … type=heads

Head_on_a_Stick · 2025-02-01 09:55:30

The bl-welcome addition sounds like a good idea :-)

johnraff · 2025-08-27 07:10:48

johnraff wrote:

Reference:
https://salsa.debian.org/installer-team … type=heads

This means that Debian-Installer is now automatically installing spice-vdagent if it detects a virtual machine and a desktop system, so probably no need for us to do anything.

#41 2023-04-04 03:06:23

Re: Techy stuff for developers

#42 2023-11-17 01:23:08

Re: Techy stuff for developers

#43 2024-01-30 05:23:54

Re: Techy stuff for developers

#44 2024-01-30 07:55:33

Re: Techy stuff for developers

#45 2024-01-30 08:15:04

Re: Techy stuff for developers

#46 2024-01-30 08:18:45

Re: Techy stuff for developers

#47 2024-01-30 17:35:49

Re: Techy stuff for developers

#48 2024-11-19 06:15:33

Re: Techy stuff for developers

#49 2025-01-16 04:59:44

Re: Techy stuff for developers

#50 2025-01-16 11:11:02

Re: Techy stuff for developers

#51 2025-01-17 02:47:52

Re: Techy stuff for developers

#52 2025-01-29 19:40:38

Re: Techy stuff for developers

#53 2025-01-30 00:00:14

Re: Techy stuff for developers

#54 2025-01-30 07:44:52

Re: Techy stuff for developers

#55 2025-01-31 09:03:00

Re: Techy stuff for developers

#56 2025-02-01 05:56:13

Re: Techy stuff for developers

#57 2025-02-01 08:52:40

Re: Techy stuff for developers

#58 2025-02-01 09:55:30

Re: Techy stuff for developers

#59 2025-08-27 07:10:48

Re: Techy stuff for developers

Board footer