Source: debian-installer-netboot-images Version: 20120712 Severity: serious Justification: silently ignores failures, creating broken packages
Hi, Whilst preparing the dini uploads for the upcoming point releases, on debdiffing the binary packages against the previous versions I noticed that one of them seemed to have lost all of its files and had an Installed-Size of 32. Checking the build log, I found that this was due to one of the Release file checks failing with: gpgv: BAD signature from "Debian Archive Automatic Signing Key (7.0/wheezy) <[email protected]>" (This appears to have been an issue with a particular mirror, fwiw.) The checks in get-images.sh do: if gpgv --keyring /usr/share/keyrings/debian-archive-keyring.gpg $RELEASE_FILE.gpg $RELEASE_FILE ; then get_di_built_using $1 get_installer $1 fi Whilst a failure to verify the Release signature does mean that we don't attempt to build an image using untrusted inputs, the package build continues with no sign of a problem having occurred until the binary packages are examined. Regards, Adam
