As Ansgar Burchard pointed out the default pbuilder configuration does
not enforce usage of signed packages. If you are quick, you can spot a
warning about an unverified signature. Since version 0.199 there is a
way to turn on enforced signature verification. The method is documented
both in man pbuilderrc and the changelog and is to set the following
option.
PBUILDERSATISFYDEPENDSOPT=('--check-key')
Now the bad thing is that according to man pbuilderrc the default value
for PBUILDERSATISFYDEPENDSCMD is aptitude which does not permit unsigned
repositories. This suggests that it would actually check those
signatures in the default configuration. This way of pretending false
security is dangerous and I totally agree that this is a security issue.
On the other hand Junichi Uekawa already did the work of solving this
issue and just did not enable the check by default. Maybe tech-ctte
needs to decide?
Helmut
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
