[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: leaks in our only-signed-software fortress

Am 18.02.2012 16:18, schrieb Jakub Wilk:
The bug is closed. Am I missing something?

But anyway, this is saddening. Hundreds (? - wild guess) of
developers have been building their packages in insecure environment,
yet pbuilder maintainer and a member of Security Team believe that it
was a feature, not a bug. :|

And looking at my current sid pbuilderrc manpage I read at least:
Extra flags to give to apt-get. Default is --force-yes, which will skip key verification of packages to be installed. Unset if
              you want to enable key verification.
=> what does verification mean here?

Array of flags to give to pbuilder-satisfydepends. Specifying
              --check-key here will try to verify key signatures.
=> "try"? Doesn't sound trustworthy at least :(


Reply to: