On Tue, 16 Apr 2013, Robert Spencer wrote: > >And have debian-cd extract the file and pass it around to APT and > >debootstrap. > >And then DEBOOTSTRAP_OPTS would default to "--no-check-gpg" and we would just > >unset it to activate the GPG check at the debootstrap level. > > > >Can you implement this ? > > Patch file attached. Again it's for debian-cd 3.1.12.
Thanks, but there's a small misunderstanding left here: > # By default we use debootstrap --no-check-gpg to find out the minimal set > # of packages because there's no reason to not trust the local mirror. But > # you can be paranoid and then you need to indicate the keyring to use to > # validate the mirror. > -#export DEBOOTSTRAP_OPTS="--keyring > /usr/share/keyrings/debian-archive-keyring.gpg" > +#export DEBOOTSTRAP_OPTS="--keyring $ARCHIVE_KEYRING_FILE" This still requires that the keyring be installed on the system whereas we're already extracting it from the binary package in debian-cd. So I was suggesting to always pass the --keyring option to debootstrap but letting it point to the extracted keyring instead of the system-wide one. And then CONF.sh would only contain something like this: # By default we use debootstrap --no-check-gpg to find out the minimal set # of packages because there's no reason to not trust the local mirror. But # you can be paranoid and then you need to set DEBOOTSTRAP_OPTS to an # empty value and indicate the keyring to use with ARCHIVE_KEYRING_PACKAGE # and ARCHIVE_KEYRING_FILE. #export DEBOOTSTRAP_OPTS="--no-check-gpg" Cheers, -- Raphaël Hertzog ◈ Debian Developer Get the Debian Administrator's Handbook: → http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org