+++ Christoph Anton Mitterer [2014-06-12 01:06 +0200]: > - [c]debootstrap > I think they both default now to verify signatures (which is a good > thing)... but IIRC, debootstrap also defaults to not verify anything... > if the keyrings aren't installed - admittedly this is unlikely... but > possible...
I found that I could not get debootstrap to do verified downloads from debian-ports with a debian-ports key. Whatever I did with apt-key, keys and --keyring options, it just said that the key was unavailable and stopped. Nice and secure, but useless, so I've had to use sudo debootstrap --no-check-gpg unstable debian-arm64 http://ftp.debian-ports.org/debian in the meantime. So it does default to signed downloads and SFAIK will always do this wether or not any keys are installed/available, unless explicitly disabled. And yes I should report a bug but have failed to do so thus far. If someone can tell me what I'm doing wrong that would improve the security of this particular usage :-) Wookey -- Principal hats: Linaro, Emdebian, Wookware, Balloonboard, ARM http://wookware.org/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140612184356.gn10...@stoneboat.aleph1.co.uk
