[Buildd-tools-devel] Bug#492327: Bug#492327: APT signature checking should be on by default
Enrico Zini
enrico at debian.org
Fri Jul 25 11:38:27 UTC 2008
On Fri, Jul 25, 2008 at 12:00:41PM +0100, Roger Leigh wrote:
> There was also originally some concern that having signature-checking
> tools inside a "minimal" chroot was not appropriate; I'm not sure if
> this is still seen as a concern.
I would think that just having apt inside the chroot brings in all
signature checking tools, but honestly I didn't verify.
> > I'd say however that once the feature is implemented it should be
> > enabled by default: it's supposed to be getting quite easy to attack
> > random DDs' DNSes and hijack their debian mirrors.
> Agreed. I'll be happy to remove the hard-coding and make it
> configurable. I'm quite short of time ATM, so a patch would make it
> much quicker.
Done: the patch is already in the BTS.
> The sbuild-createchroot script should ideally also set up the chroot
> with the correct signatures in order to validate the mirror. I'm not
> too familiar with this part, so if it's possible to automate apt-key
> usage as part of the debootstrap part, that would be great.
You just run debootstrap or cdebootstrap with --keyring=/etc/apt/trusted.gpg
I've documented the procedure for pbuilder here:
http://www.enricozini.org/2006/tips/trusted-pbuilder.html
there's also some more discussion here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=317998
Ciao,
Enrico
--
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20080725/a39181eb/attachment.pgp
More information about the Buildd-tools-devel
mailing list