Control: tag -1 patch pending Hi, Adam D. Barratt <adam@adam-barratt.org.uk> (2016-03-30): > Source: debian-installer-netboot-images > Version: 20120712 > Severity: serious > Justification: silently ignores failures, creating broken packages > > Hi, > > Whilst preparing the dini uploads for the upcoming point releases, on > debdiffing the binary packages against the previous versions I noticed > that one of them seemed to have lost all of its files and had an > Installed-Size of 32. > > Checking the build log, I found that this was due to one of the Release > file checks failing with: > > gpgv: BAD signature from "Debian Archive Automatic Signing Key > (7.0/wheezy) <ftpmaster@debian.org>" > > (This appears to have been an issue with a particular mirror, fwiw.) > > The checks in get-images.sh do: > > if gpgv --keyring /usr/share/keyrings/debian-archive-keyring.gpg $RELEASE_FILE.gpg $RELEASE_FILE ; then > get_di_built_using $1 > get_installer $1 > fi > > Whilst a failure to verify the Release signature does mean that we don't > attempt to build an image using untrusted inputs, the package build > continues with no sign of a problem having occurred until the binary > packages are examined. Thanks for the catch! Didier, I see you have committed a fix in git master, so I'm tagging this bug report accordingly. Did you test it (e.g. by faking a Release file corruption)? This seems like something we should cherry-pick in stable branches, but I don't want to do so without a confirmation first. KiBi.
Attachment:
signature.asc
Description: Digital signature