[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Packages built with unchecked dependencies


some time ago, I noticed that using the default pbuilder setup I was
not checking signatures on build-dep packages when building my debian
uploads [1] [2] [3].  I thought this was bad, and since then I pay
attention to it.

Now that I have LVM in my laptop and use schroot, I take care of
building the chroots using "debootstrap --keyring=..." [4], which means
that when I download build-deps inside the chroots, the build-deps get

Then I tried sbuild to build using my schroot setup, and found that by
default it disables signature checking.  So I stopped using sbuild until
I find a way to reenable it.

Then I had a look at some random buildd log[5]:

  WARNING: The following packages cannot be authenticated!
    x11-common libice6 libsm6 libxau6 libxdmcp6 libxcb1 libxcb-xlib0 libx11-data
    libx11-6 libxt6 apt-utils bsdmainutils groff-base libnewt0.52 libpopt0
    man-db whiptail libmagic1 file gettext-base libidn11 html2text gettext
    intltool-debian po-debconf debhelper cdbs cmake defoma dh-buildinfo
  Authentication warning overridden.

and found that not even our buildds check signatures, and since I
understand that they don't always reside on the same network as the main
ftp archive, nor they connect to it using some sort of VPN (correct me
if I'm wrong), I worry that this means that they also buld packages
using untrusted build-deps.

Am I the only one that feels very, very uncomfortable about this?



[1] http://www.enricozini.org/2006/tips/trusted-pbuilder.html
[2] http://wiki.debian.org/SecurePbuilder
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=317998
[4] http://www.enricozini.org/2008/tips/joys-of-schroot.html
[5] http://buildd.debian.org/fetch.cgi?&pkg=libept&ver=0.5.21&arch=i386&stamp=1216774836&file=log

GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>

Attachment: signature.asc
Description: Digital signature

Reply to: