reopen 579028 = thanks On 0, Junichi Uekawa <dan...@netfort.gr.jp> wrote: > At Sun, 25 Apr 2010 00:01:36 +0900, > Ansgar Burchardt wrote: > > > > pbuilder will by default install packages from untrusted sources. This > > means the system can be compromised by a man in the middle providing > > malicious packages. There also seems no way to get pbuilder to stop > > doing so. > > > > pbuilder should (in the default configuration) not install packages that > > are not trusted, only when the user explicitly requests this explicitly. > > I don't agree to this point since this will break all existing configuretions.
Can you please explain how this will break "all existing configurations"? Does it mean that all people are using untrusted repositories when using pbuilder? At least, could you provide a flag to control this behaviour from pbuilder's command-line and turn it off by default? Breaking untrusted/broken configurations cannot be a counterargument, IMHO. Please don't close this bugreport before correctly fixing this issue or discussing its seriousness. Also, the initial report asked for two changes. Only one of them is fixed in 0.198. Regards, -- Mehdi Dogguy -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
