severity wishlist thanks At Sun, 25 Apr 2010 00:01:36 +0900, Ansgar Burchardt wrote: > > Package: pbuilder > Version: 0.196 > Severity: grave > Tags: security > Justification: user security hole > > Hi, > > pbuilder will by default install packages from untrusted sources. This > means the system can be compromised by a man in the middle providing > malicious packages. There also seems no way to get pbuilder to stop > doing so. > > pbuilder should (in the default configuration) not install packages that > are not trusted, only when the user explicitly requests this explicitly. > > Also when creating the chroot with debootstrap, the --keyring option > should be used so that debootstrap will check for a valid signature. > > Regards, > Ansgar > > -- System Information: > Debian Release: squeeze/sid > APT prefers testing > APT policy: (900, 'testing'), (500, 'unstable'), (1, 'experimental') > Architecture: amd64 (x86_64) > > Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores) > Locale: LANG=C, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > > > > _______________________________________________ > Pbuilder-maint mailing list > pbuilder-ma...@lists.alioth.debian.org > http://lists.alioth.debian.org/mailman/listinfo/pbuilder-maint >
-- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
