[Buildd-tools-devel] Bug#492327: APT signature checking should be on by default
Enrico Zini
enrico at debian.org
Fri Jul 25 09:54:55 UTC 2008
Package: sbuild
Version: 0.57.4-1
Severity: important
Hello,
thank you for packaging sbuild.
I noticed that when I use sbuild+schroot to build my own packages, apt
signature checking is turned off. I tried to turn it on, but it
requires patching /usr/share/perl5/Sbuild/Chroot.pm, as (unless I
misread the code) disabling signature checking is currently hardcoded in
sbuild:
sub _setup_options (\$\$) {
[...]
if (defined($info) &&
defined($info->{'Location'}) && -d $info->{'Location'}) {
[...]
my $aptconf = "/var/lib/sbuild/apt.conf";
[...]
# Always write out apt.conf, because it may become outdated.
if (my $F = new File::Temp( TEMPLATE => "$aptconf.XXXXXX",
DIR => $self->get('Location'),
UNLINK => 0) ) {
print $F "APT::Get::AllowUnauthenticated true;\n";
print $F "APT::Install-Recommends false;\n";
if (! rename $F->filename, $chroot_aptconf) {
die "Can't rename $F->filename to $chroot_aptconf: $!\n";
}
}
} else {
die $self->get('Chroot ID') . " chroot does not exist\n";
}
}
I don't want to upload packages built with untrusted build-deps, so at
them moment I'm not using sbuild (I might make myself a patched version
now that I dug out the code).
I'd say however that once the feature is implemented it should be
enabled by default: it's supposed to be getting quite easy to attack
random DDs' DNSes and hijack their debian mirrors.
Ciao,
Enrico
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.25-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages sbuild depends on:
ii adduser 3.108 add and remove users and groups
ii apt 0.7.14+b1 Advanced front-end for dpkg
ii dctrl-tools 2.13.0 Command-line tools to process Debi
ii devscripts 2.10.33 scripts to make the life of a Debi
ii dpkg-dev 1.14.20 Debian package development tools
ii perl 5.10.0-11 Larry Wall's Practical Extraction
ii perl-modules 5.10.0-11 Core Perl modules
ii postfix [mail-transport-agent 2.5.2-1 High-performance mail transport ag
ii schroot 1.2.1-1 Execute commands in a chroot envir
Versions of packages sbuild recommends:
ii debootstrap 1.0.10 Bootstrap a basic Debian system
ii fakeroot 1.9.5 Gives a fake root environment
Versions of packages sbuild suggests:
ii deborphan 1.7.24 Find orphaned libraries
ii wget 1.11.4-1 retrieves files from the web
-- no debconf information
More information about the Buildd-tools-devel
mailing list