Enrico Zini wrote:
Then I tried sbuild to build using my schroot setup, and found that by default it disables signature checking. So I stopped using sbuild until I find a way to reenable it.
[...]
Yes. Errr... I mean... No! It also makes me uncomfortable too. If there is some good reason, I don't know what it is. Even if the network path was completely trusted, I can't think why signature checking should be disabled.and found that not even our buildds check signatures, and since I understand that they don't always reside on the same network as the main ftp archive, nor they connect to it using some sort of VPN (correct me if I'm wrong), I worry that this means that they also buld packages using untrusted build-deps. Am I the only one that feels very, very uncomfortable about this?
Anyway, I am lazy ;-). How did you reconfigure sbuild to enable signature checking?
(On the topic of schroot and sbuild, I found this references useful; it is getting dated now but some parts are still relevant: <http://www.pseudorandom.co.uk/2007/sbuild/>
if only it mentioned what this "apt-get-update" program/script is) Thanks. Brian May