[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages built with unchecked dependencies

Enrico Zini wrote:
Then I tried sbuild to build using my schroot setup, and found that by
default it disables signature checking.  So I stopped using sbuild until
I find a way to reenable it.
and found that not even our buildds check signatures, and since I
understand that they don't always reside on the same network as the main
ftp archive, nor they connect to it using some sort of VPN (correct me
if I'm wrong), I worry that this means that they also buld packages
using untrusted build-deps.

Am I the only one that feels very, very uncomfortable about this?
Yes. Errr... I mean... No! It also makes me uncomfortable too. If there is some good reason, I don't know what it is. Even if the network path was completely trusted, I can't think why signature checking should be disabled.

Anyway, I am lazy ;-). How did you reconfigure sbuild to enable signature checking?

(On the topic of schroot and sbuild, I found this references useful; it is getting dated now but some parts are still relevant: <http://www.pseudorandom.co.uk/2007/sbuild/>
if only it mentioned what this "apt-get-update" program/script is)


Brian May

Reply to: