Re: Packages built with unchecked dependencies
Enrico Zini wrote:
Then I tried sbuild to build using my schroot setup, and found that by
default it disables signature checking. So I stopped using sbuild until
I find a way to reenable it.
Yes. Errr... I mean... No! It also makes me uncomfortable too. If there
is some good reason, I don't know what it is. Even if the network path
was completely trusted, I can't think why signature checking should be
and found that not even our buildds check signatures, and since I
understand that they don't always reside on the same network as the main
ftp archive, nor they connect to it using some sort of VPN (correct me
if I'm wrong), I worry that this means that they also buld packages
using untrusted build-deps.
Am I the only one that feels very, very uncomfortable about this?
Anyway, I am lazy ;-). How did you reconfigure sbuild to enable
(On the topic of schroot and sbuild, I found this references useful; it
is getting dated now but some parts are still relevant:
if only it mentioned what this "apt-get-update" program/script is)