Bug#579028: Allow --check-key to be reliably cleared once set

Neil Williams codehelp at debian.org
Sun Mar 4 12:51:26 UTC 2012


I think I understand Yves' implementation, I've done something similar
myself. One feature of how that works for me is that I end up with as
many pbuilderrc-foo files as I need different mechanisms.

0: Default Debian build ...

1: Secondary Debian build using a local mirror URL which cannot be
resolved outside the building..

2: internal base.tgz where there is no network access outside the
building and Debian is copied in as a mirror, apt sources include an
internal, unsigned, repository...

3: cross base.tgz with Emdebian apt sources from Squeeze on a Debian
sid environment

Mixing suites, mixing access sites, use inside and outside restrictive
networks, these are all use-cases for having multiple config files for
pbuilder and some will require SecureApt to be turned off.

Why not extend this principle? To use these other configurations, I
have to specify the --config-file option anyway, so it is just a single
change to the existing config files for each of the configurations
which already need a config file.

This isn't suitable for debconf or similar because it is a choice which
needs to be made per-run, not per installation.

The problem with the current state of pbuilder is that the --check-key
behaviour cannot be undone once enabled by an option elsewhere.

pbuilder-satisfydepends-checkparams needs a corresponding
--no-check-key option which *re-asserts* the previous value of
PBUILDER_APTITUDE_CHECK_OPTS and PBUILDER_APT_GET_CHECK_OPTS.

With that in place, /etc/pbuilderrc and /usr/share/pbuilder/pbuilderrc
could set --check-key by default and individual --configfile uses could
reliably unset it.

The bootstrap option is different as it's a fire-and-forget mostly. The
problem with --check-key is that I absolutely want SecureApt enabled
whenever I use 'pbuilder update' but I also want it to be disabled
reliably when I use 'pbuilder update --configfile /foo/foo.rc'.

-- 


Neil Williams
=============
http://www.linux.codehelp.co.uk/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pbuilder-maint/attachments/20120304/ff3a14d0/attachment.pgp>


More information about the Pbuilder-maint mailing list