[Pbuilder-maint] Re: your blog entry on secure pbuilder.
Enrico Zini
enrico at debian.org
Fri May 26 11:20:13 UTC 2006
On Fri, May 26, 2006 at 07:24:02AM +0900, Junichi Uekawa wrote:
> I've read your post.
> http://www.enricozini.org/blog/eng/trusted-pbuilder.html
> are you sure that's enough ? That seems to be just when creating the
> initial chroot.
> Untrusted packages will be installed regardless since pbuilder will
> call apt-get with options to force installation.
Right, you're right. However, a warning will be shown if it's
installing untrusted packages, which one can check on the build logs.
Sure, it's not enough.
One simple solution would be not to pass the force options to apt if
/etc/apt/trusted.gpg exists. But this should still need to be disabled
in case I'm using an extra local source of packages I've built myself.
> There are several things that need to be done
> 1. filing a bug on cdebootstrap to support --keyring option
> (does that install gnupg inside chroot as well?)
This has already been done, as #351352
> 2. filing a bug on pbuilder to request support.
That should be #317998.
I will now add a note to my blog as well. I noticed that you already
put a note in the wiki page: thanks!
Ciao,
Enrico
--
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pbuilder-maint/attachments/20060526/75fda489/attachment.pgp
More information about the Pbuilder-maint
mailing list