Hi! On Thu, 2014-06-12 at 19:43:56 +0100, Wookey wrote: > +++ Christoph Anton Mitterer [2014-06-12 01:06 +0200]: > > - [c]debootstrap > > I think they both default now to verify signatures (which is a good > > thing)... but IIRC, debootstrap also defaults to not verify anything... > > if the keyrings aren't installed - admittedly this is unlikely... but > > possible... > > I found that I could not get debootstrap to do verified downloads from > debian-ports with a debian-ports key. Whatever I did with apt-key, keys > and --keyring options, it just said that the key was unavailable and > stopped. Nice and secure, but useless, so I've had to use > sudo debootstrap --no-check-gpg unstable debian-arm64 > http://ftp.debian-ports.org/debian > in the meantime. > > So it does default to signed downloads and SFAIK will always do this > wether or not any keys are installed/available, unless explicitly disabled. > > And yes I should report a bug but have failed to do so thus far. > > If someone can tell me what I'm doing wrong that would improve the > security of this particular usage :-)
That might actually be a bug/deficiency of mini-dak, but I've not looked into it for a very long time so I could not say for sure off the top of my head. Regards, Guillem -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140612200634.gb7...@pulsar.hadrons.org
