Bug#545900: pbuilder uses debootstrap in am insecure way

[Loïc Minier]

tag 545900 + confirmed
stop

On Wed, Sep 09, 2009, Christoph Anton Mitterer wrote:
> I've seen that you cache packages in /var/cache/pbuilder/aptcache
> How are these retrieved? Are they verified against the archive keyrings?

 pbuilder has historically passed
 Aptitude::CmdLine::Ignore-Trust-Violations=true when installing
 packages with aptitude and -y --force-yes when installing packages with
 apt-get, so missing or incorrect signatures wont prevent a package from
 being installed.

-- 
Loïc Minier