Re: Packages built with unchecked dependencies

Fri, 25 Jul 2008 02:09:39 -0700 

On Fri, Jul 25, 2008 at 09:49:00AM +1000, Brian May wrote:

>> Am I the only one that feels very, very uncomfortable about this?
> Yes. Errr... I mean... No! It also makes me uncomfortable too. If there  
> is some good reason, I don't know what it is. Even if the network path  
> was completely trusted, I can't think why signature checking should be  
> disabled.

This is mentioned in the thread that Raphael Geisser points to in the
other message: basically, the buildds skip signature checking because
they also need to get packages from incoming, which are not in a signed
repository.  I'm following up to this in a reply to Raphael, though.

> Anyway, I am lazy ;-). How did you reconfigure sbuild to enable  
> signature checking?

It seems that you can't, in my version of sbuild, unless you patch the
code.  The code responsible for disabling signature checking is in
/usr/share/perl5/Sbuild/Chroot.pm and it does not seem to allow any sort
of customisation:

    sub _setup_options (\$\$) {
        [...]
        if (defined($info) &&
            defined($info->{'Location'}) && -d $info->{'Location'}) {
            [...]
            my $aptconf = "/var/lib/sbuild/apt.conf";
            [...]
            # Always write out apt.conf, because it may become outdated.
            if (my $F = new File::Temp( TEMPLATE => "$aptconf.XXXXXX",
                                        DIR => $self->get('Location'),
                                        UNLINK => 0) ) {
                print $F "APT::Get::AllowUnauthenticated true;\n";
                print $F "APT::Install-Recommends false;\n";
                if (! rename $F->filename, $chroot_aptconf) {
                    die "Can't rename $F->filename to $chroot_aptconf: $!\n";
                }
            }
        } else {
            die $self->get('Chroot ID') . " chroot does not exist\n";
        }
    }

> (On the topic of schroot and sbuild, I found this references useful; it  
> is getting dated now but some parts are still relevant:  
> <http://www.pseudorandom.co.uk/2007/sbuild/>
> if only it mentioned what this "apt-get-update" program/script is)

You can actually ignore that if you run something like this before you
start doing your builds of the day:

  schroot -c sid-source -- sh -c "apt-get update; apt-get dist-upgrade; apt-get 
autoclean; apt-get clean"


Ciao,

Enrico

-- 
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <[EMAIL PROTECTED]>

Attachment: signature.asc
Description: Digital signature

Reply via email to