Bug#579028: pbuilder: installs untrusted packages without asking

[Yves-Alexis Perez]

On lun., 2010-07-05 at 22:30 +0900, Junichi Uekawa wrote:
> Yeah, I am annoyed that will require some setup on the users, but I
> will add configurability for the users who use malicious repositories
> per se.

I have to admit I'm pretty annoyed too

> 
> To really implement this thing, you need support for 
> 
> Ubuntu, et al. (currently broken with the recent change)
> Some way to add key for whatever extra repository, (not implemented)
> Document how you do local repositories. (currently broken with recent change)
> 
Does this mean there's no way to have local, unsigned repositories at
the moment? I have a working (well, had) setup which uses BUILDRESULT as
an apt source so I can build the whole Xfce stack (or evolution one, for
that matter) in a row. That means I need to push just build packages as
build-deps, and it /is/ a valid use-case. 

There's no point in authenticating the repository here, it's local,
manually (and a bit painfully) configured. I don't buy the “security”
argument, sorry.

I've tried to play with various options:

- changing PBUILDERSATISFYDEPENDSCMD to use gdebi so APTGETOPT would be
used : doesn't work
- try to force APTGETOPT=('--force-yes') : doesn't work
- try to unset PBUILDERSATISFYDEPENDSOPT : doesn't work

So I'm a bit puzzled. At the moment, what is the way to do that? If
there are none, I'm afraid it'll break quite a lot of setups. If there
are, I guess they'll need to be explained a bite more.

Cheers,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pbuilder-maint/attachments/20100726/1cd516ed/attachment.pgp>