Package: sbuild Version: 0.68.0-1 Severity: serious Tags: security sbuild --build-dep-resolver=aptitude will install packages from untrusted sources. I'm building a backports of dune-geometry in a freshly created jessie-backports chroot. For this I added a local apt repository
deb file:///srv/apt/ansgar/pub jessie-backports main to the chroot's sources.list (there is a bind mount setup too). The signing key was *not* installed yet (as I forgot to do so). Building the package with $ /usr/bin/sbuild -j8 -d jessie-backports -A \ --build-dep-resolver=aptitude dune-geometry_2.4.1-1~bpo8+1.dsc made apt in the chroot complain as expected: +--- | W: GPG error: file: jessie-backports InRelease: The following signatures | couldn't be verified because the public key is not available: | NO_PUBKEY 4618504DFB3AD1E0 +--- But to my surprise, the aptitude solver went on to install packages from there: +--- | aptitude -y --without-recommends -o Dpkg::Options::=--force-confold | -o Aptitude::CmdLine::Ignore-Trust-Violations=false [...] | install sbuild-build-depends-dune-geometry-dummy:amd64 | [...] | The following actions will resolve these dependencies: | | Install the following packages: | 1) libdune-common-dev [2.4.1-1~bpo8+1 (<NULL>)] | [...] | Selecting previously unselected package libdune-common-dev:amd64. | Preparing to unpack .../libdune-common-dev_2.4.1-1~bpo8+1_amd64.deb ... | Unpacking libdune-common-dev:amd64 (2.4.1-1~bpo8+1) ... | [...] | Setting up libdune-common-dev:amd64 (2.4.1-1~bpo8+1) ... | [...] | Package versions: [...] libdune-common-dev_2.4.1-1~bpo8+1 [...] +--- I'm not sure if this is an issue with sbuild calling aptitude or with aptitude. Feel free to reassign to aptitude (aptitude 0.6.11-1+b1 was installed in the chroot). (This was before the dune-common backport reached the archive.) Ansgar -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (100, 'buildd-unstable'), (100, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.3.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages sbuild depends on: ii adduser 3.113+nmu3 ii apt-utils 1.2.4 ii libsbuild-perl 0.68.0-1 ii perl 5.22.1-7 Versions of packages sbuild recommends: ii debootstrap 1.0.79 ii fakeroot 1.20.2-1 Versions of packages sbuild suggests: pn deborphan <none> ii wget 1.17.1-1+b1 -- no debconf information