Re: leaks in our only-signed-software fortress
Am 18.02.2012 16:18, schrieb Jakub Wilk:
The bug is closed. Am I missing something?
But anyway, this is saddening. Hundreds (? - wild guess) of
developers have been building their packages in insecure environment,
yet pbuilder maintainer and a member of Security Team believe that it
was a feature, not a bug. :|
And looking at my current sid pbuilderrc manpage I read at least:
APTGETOPT=('--force-yes')
Extra flags to give to apt-get. Default is --force-yes,
which
will skip key verification of packages to be installed.
Unset if
you want to enable key verification.
=> what does verification mean here?
and
PBUILDERSATISFYDEPENDSOPT=('--check-key')
Array of flags to give to pbuilder-satisfydepends.
Specifying
--check-key here will try to verify key signatures.
=> "try"? Doesn't sound trustworthy at least :(
Cheers,
Chris.
Reply to: