[Pbuilder-maint] Bug#317998: your blog entry on secure pbuilder.
Junichi Uekawa
dancer at netfort.gr.jp
Fri May 26 20:45:43 UTC 2006
Thanks for the mail. That's a good reminder.
I almost forgot about this issue.
At Fri, 26 May 2006 13:20:13 +0200,
Enrico Zini wrote:
>
> On Fri, May 26, 2006 at 07:24:02AM +0900, Junichi Uekawa wrote:
>
> > I've read your post.
> > http://www.enricozini.org/blog/eng/trusted-pbuilder.html
> > are you sure that's enough ? That seems to be just when creating the
> > initial chroot.
> > Untrusted packages will be installed regardless since pbuilder will
> > call apt-get with options to force installation.
>
> Right, you're right. However, a warning will be shown if it's
> installing untrusted packages, which one can check on the build logs.
> Sure, it's not enough.
That is good.
> One simple solution would be not to pass the force options to apt if
> /etc/apt/trusted.gpg exists. But this should still need to be disabled
> in case I'm using an extra local source of packages I've built myself.
Yes, that's an issue I'm most worried about.
I was thinking of having some kind of
deb-noauth http://XXXX/
kind of apt-lines, in addition to normal deb lines, to signify that I
don't want authentication because it's a local repos.
regards,
junichi
--
dancer@{debian.org,netfort.gr.jp} Debian Project
More information about the Pbuilder-maint
mailing list