On Mon, Apr 05, 2010 at 11:31:02AM +0200, Stefan Fritsch wrote: > is the correct setup for the buildd chroots documented somewhere? I > frequently have to have the same discussions with buildd admins again > and again to have them fix the configuration of the stable-security > chroots. It would be easier if I could just point them to the > documentation. And maybe, if there was some documentation, the > configuration wouldn't be broken that often. They should use the script we provide: create-chroot.sh. It should take care of those details. However... > TTBOMK, the correct setup currently is: > > sources.list: > - include source *and* binary lines for the security-master/buildd/ > dir (don't know what the dir is called exactly) > - do not include incoming.debian.org > - do not include s-p-u We are currently using the base suite as the base for the security settings. This means incoming.debian.org as the second mirror and s-p-u included. > apt.config: > - *disable* signature check because the buildd dir on security master > is not signed Yep, I asked for https back then, but it seems that somebody hacked it out of create-chroot.sh again (it means adding apt-transport-https and thus gnutls to the chroots). I consider this a very bad thing that it's still not signed after years. It can't be that hard to add another line to dinstall to create a Release file with a detached signature. But so be it. https is IMHO orthogonal, this setting breaks verification of the plain archive instead, not just the security parts which are shipped encrypted to the buildds when https is used. (OTOH the log is still transmitted unencrypted, FWIW.) Kind regards, Philipp Kern -- .''`. Philipp Kern Debian Developer : :' : http://philkern.de Stable Release Manager `. `' xmpp:phil@0x539.de Wanna-Build Admin `- finger pkern/key@db.debian.org
Attachment:
signature.asc
Description: Digital signature