Enrico Zini wrote:
Then I tried sbuild to build using my schroot setup, and found that by
default it disables signature checking. So I stopped using sbuild until
I find a way to reenable it.
[...]
and found that not even our buildds check signatures, and since I
understand that they don't always reside on the same network as the main
ftp archive, nor they connect to it using some sort of VPN (correct me
if I'm wrong), I worry that this means that they also buld packages
using untrusted build-deps.
Am I the only one that feels very, very uncomfortable about this?
Yes. Errr... I mean... No! It also makes me uncomfortable too. If there
is some good reason, I don't know what it is. Even if the network path
was completely trusted, I can't think why signature checking should be
disabled.
Anyway, I am lazy ;-). How did you reconfigure sbuild to enable
signature checking?
(On the topic of schroot and sbuild, I found this references useful; it
is getting dated now but some parts are still relevant:
<http://www.pseudorandom.co.uk/2007/sbuild/>
if only it mentioned what this "apt-get-update" program/script is)
Thanks.
Brian May
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
