From fadeb495e3c61c1e96561e45de8d8cf2bc726b22 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Mon, 2 Oct 2023 18:06:26 -0700 Subject: [PATCH] remove ssl-cert "snakeoil" private keys from images, since this makes them not very private. LP: #2037869. --- debian/changelog | 5 +++++ live-build/auto/config | 12 ++++++++++++ 2 files changed, 17 insertions(+) diff --git a/debian/changelog b/debian/changelog index c325aeee..d86fd97c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,10 +1,15 @@ livecd-rootfs (23.10.52) UNRELEASED; urgency=medium + [ Philip Roche ] * fix: Sort filelists creating when building ubuntu-cpc images (LP: #2033677) * fix: Create .filelist in ubuntu-cpc project binary hooks that do not use create_manifest shared function (LP: #2033751) * fix: Ensure any created .filelist is symlinked with expected prefix and correct permissions * fix: disk-image-non-cloud ubuntu-cpc build target now provides manifest and filelist + [ Steve Langasek ] + * remove ssl-cert "snakeoil" private keys from images, since this makes + them not very private. LP: #2037869. + -- Philip Roche Thu, 31 Aug 2023 18:20:23 +0100 livecd-rootfs (23.10.51) mantic; urgency=medium diff --git a/live-build/auto/config b/live-build/auto/config index c528e36d..1a791366 100755 --- a/live-build/auto/config +++ b/live-build/auto/config @@ -1300,6 +1300,18 @@ if [ "${IMAGE_HAS_HARDCODED_PASSWORD:-}" = "1" ]; then fi fi +# apply this hook unconditionally to remove files from the chroot that +# are supposed to be install-specific secrets and therefore must never +# be shipped in any image. +# this hook should be extended if we discover any more files that are +# supposed to be private but aren't. +cat > config/hooks/100-too-many-secrets.chroot <