Hello, some time ago, I noticed that using the default pbuilder setup I was not checking signatures on build-dep packages when building my debian uploads [1] [2] [3]. I thought this was bad, and since then I pay attention to it.
Now that I have LVM in my laptop and use schroot, I take care of
building the chroots using "debootstrap --keyring=..." [4], which means
that when I download build-deps inside the chroots, the build-deps get
checked.
Then I tried sbuild to build using my schroot setup, and found that by
default it disables signature checking. So I stopped using sbuild until
I find a way to reenable it.
Then I had a look at some random buildd log[5]:
WARNING: The following packages cannot be authenticated!
x11-common libice6 libsm6 libxau6 libxdmcp6 libxcb1 libxcb-xlib0 libx11-data
libx11-6 libxt6 apt-utils bsdmainutils groff-base libnewt0.52 libpopt0
man-db whiptail libmagic1 file gettext-base libidn11 html2text gettext
intltool-debian po-debconf debhelper cdbs cmake defoma dh-buildinfo
[...]
Authentication warning overridden.
[...]
and found that not even our buildds check signatures, and since I
understand that they don't always reside on the same network as the main
ftp archive, nor they connect to it using some sort of VPN (correct me
if I'm wrong), I worry that this means that they also buld packages
using untrusted build-deps.
Am I the only one that feels very, very uncomfortable about this?
Ciao,
Enrico
[1] http://www.enricozini.org/2006/tips/trusted-pbuilder.html
[2] http://wiki.debian.org/SecurePbuilder
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=317998
[4] http://www.enricozini.org/2008/tips/joys-of-schroot.html
[5]
http://buildd.debian.org/fetch.cgi?&pkg=libept&ver=0.5.21&arch=i386&stamp=1216774836&file=log
--
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <[EMAIL PROTECTED]>
signature.asc
Description: Digital signature
