Re: leaks in our only-signed-software fortress

[Christoph Anton Mitterer <calestyo@scientia.net>]

Am 18.02.2012 16:18, schrieb Jakub Wilk:
> The bug is closed. Am I missing something?
>
> But anyway, this is saddening. Hundreds (? - wild guess) of
> developers have been building their packages in insecure environment,
> yet pbuilder maintainer and a member of Security Team believe that it
> was a feature, not a bug. :|

And looking at my current sid pbuilderrc manpage I read at least:
       APTGETOPT=('--force-yes')
              Extra flags to give to apt-get.  Default is  --force-yes, 
which
              will skip key verification of packages to be installed. 
Unset if
              you want to enable key verification.
=> what does verification mean here?

and
       PBUILDERSATISFYDEPENDSOPT=('--check-key')
              Array  of  flags to give to pbuilder-satisfydepends.  
Specifying
              --check-key here will try to verify key signatures.
=> "try"? Doesn't sound trustworthy at least :(


Cheers,
Chris.