Bug#579028: pbuilder: installs untrusted packages without asking
Junichi Uekawa
dancer at netfort.gr.jp
Sat Jul 3 14:58:15 UTC 2010
severity 579028 wishlist
thanks
At Thu, 24 Jun 2010 18:13:55 +0200,
Mehdi Dogguy wrote:
>
> reopen 579028 =
> thanks
>
> On 0, Junichi Uekawa <dancer at netfort.gr.jp> wrote:
> > At Sun, 25 Apr 2010 00:01:36 +0900,
> > Ansgar Burchardt wrote:
> > >
> > > pbuilder will by default install packages from untrusted sources. This
> > > means the system can be compromised by a man in the middle providing
> > > malicious packages. There also seems no way to get pbuilder to stop
> > > doing so.
> > >
> > > pbuilder should (in the default configuration) not install packages that
> > > are not trusted, only when the user explicitly requests this explicitly.
> >
> > I don't agree to this point since this will break all existing configuretions.
>
> Can you please explain how this will break "all existing configurations"?
> Does it mean that all people are using untrusted repositories when using
> pbuilder?
>
> At least, could you provide a flag to control this behaviour from pbuilder's
> command-line and turn it off by default? Breaking untrusted/broken configurations
> cannot be a counterargument, IMHO.
>
> Please don't close this bugreport before correctly fixing this issue or
> discussing its seriousness. Also, the initial report asked for two changes.
> Only one of them is fixed in 0.198.
>
> Regards,
>
> --
> Mehdi Dogguy
>
More information about the Pbuilder-maint
mailing list