[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Document correct buildd chroot setup somewhere?

On Mon, Apr 05, 2010 at 11:31:02AM +0200, Stefan Fritsch wrote:
> is the correct setup for the buildd chroots documented somewhere? I 
> frequently have to have the same discussions with buildd admins again 
> and again to have them fix the configuration of the stable-security 
> chroots. It would be easier if I could just point them to the 
> documentation. And maybe, if there was some documentation, the 
> configuration wouldn't be broken that often.

They should use the script we provide: create-chroot.sh.  It should take
care of those details.  However...

> TTBOMK, the correct setup currently is:
> sources.list:
> - include source *and* binary lines for the security-master/buildd/ 
> dir (don't know what the dir is called exactly)
> - do not include incoming.debian.org
> - do not include s-p-u

We are currently using the base suite as the base for the security settings.
This means incoming.debian.org as the second mirror and s-p-u included.

> apt.config:
> - *disable* signature check because the buildd dir on security master 
> is not signed

Yep, I asked for https back then, but it seems that somebody hacked it out
of create-chroot.sh again (it means adding apt-transport-https and thus
gnutls to the chroots).

I consider this a very bad thing that it's still not signed after years.  It
can't be that hard to add another line to dinstall to create a Release file
with a detached signature.  But so be it.

https is IMHO orthogonal, this setting breaks verification of the plain archive
instead, not just the security parts which are shipped encrypted to the buildds
when https is used.  (OTOH the log is still transmitted unencrypted, FWIW.)

Kind regards,
Philipp Kern
 .''`.  Philipp Kern                        Debian Developer
: :' :  http://philkern.de                         Stable Release Manager
`. `'   xmpp:phil@0x539.de                         Wanna-Build Admin
  `-    finger pkern/key@db.debian.org

Attachment: signature.asc
Description: Digital signature

Reply to: