[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: buildds: "Authentication warning overridden."

On Sun, Nov 11, 2007 at 01:27:14PM +0100, Florian Weimer wrote:
> * Wouter Verhelst:

> > That's inevitable because http://incoming.debian.org is not signed; The
> > update frequency of that repository (which is available only to buildd
> > hosts by IP and/or password protection) makes that impossible -- or at
> > least that's what I understood; you may want to check with ftp-masters
> > for the full story.

> In this case, HTTPS should be used to download the packages, together
> with proper certificate validation.  This has got the added benefit that
> passwords aren't sent in the clear (well, unless an error occurs, but
> this is a separate issue).

I believe the Packages file is only exposed over ssh, so there is a trusted
path - just not one that apt recognizes as being adequate to eliminate the
authentication warning.  (Which is unfortunate, because AFAIK the "accept
unauthenticated packages" flag can't be enabled on a per-source basis.)

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org

Reply to: