Thanks for the mail. That's a good reminder. I almost forgot about this issue.
At Fri, 26 May 2006 13:20:13 +0200, Enrico Zini wrote: > > On Fri, May 26, 2006 at 07:24:02AM +0900, Junichi Uekawa wrote: > > > I've read your post. > > http://www.enricozini.org/blog/eng/trusted-pbuilder.html > > are you sure that's enough ? That seems to be just when creating the > > initial chroot. > > Untrusted packages will be installed regardless since pbuilder will > > call apt-get with options to force installation. > > Right, you're right. However, a warning will be shown if it's > installing untrusted packages, which one can check on the build logs. > Sure, it's not enough. That is good. > One simple solution would be not to pass the force options to apt if > /etc/apt/trusted.gpg exists. But this should still need to be disabled > in case I'm using an extra local source of packages I've built myself. Yes, that's an issue I'm most worried about. I was thinking of having some kind of deb-noauth http://XXXX/ kind of apt-lines, in addition to normal deb lines, to signify that I don't want authentication because it's a local repos. regards, junichi -- [EMAIL PROTECTED],netfort.gr.jp} Debian Project -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
