Package: sbuild Version: 0.57.4-1 Severity: important Hello,
thank you for packaging sbuild. I noticed that when I use sbuild+schroot to build my own packages, apt signature checking is turned off. I tried to turn it on, but it requires patching /usr/share/perl5/Sbuild/Chroot.pm, as (unless I misread the code) disabling signature checking is currently hardcoded in sbuild: sub _setup_options (\$\$) { [...] if (defined($info) && defined($info->{'Location'}) && -d $info->{'Location'}) { [...] my $aptconf = "/var/lib/sbuild/apt.conf"; [...] # Always write out apt.conf, because it may become outdated. if (my $F = new File::Temp( TEMPLATE => "$aptconf.XXXXXX", DIR => $self->get('Location'), UNLINK => 0) ) { print $F "APT::Get::AllowUnauthenticated true;\n"; print $F "APT::Install-Recommends false;\n"; if (! rename $F->filename, $chroot_aptconf) { die "Can't rename $F->filename to $chroot_aptconf: $!\n"; } } } else { die $self->get('Chroot ID') . " chroot does not exist\n"; } } I don't want to upload packages built with untrusted build-deps, so at them moment I'm not using sbuild (I might make myself a patched version now that I dug out the code). I'd say however that once the feature is implemented it should be enabled by default: it's supposed to be getting quite easy to attack random DDs' DNSes and hijack their debian mirrors. Ciao, Enrico -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.25-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages sbuild depends on: ii adduser 3.108 add and remove users and groups ii apt 0.7.14+b1 Advanced front-end for dpkg ii dctrl-tools 2.13.0 Command-line tools to process Debi ii devscripts 2.10.33 scripts to make the life of a Debi ii dpkg-dev 1.14.20 Debian package development tools ii perl 5.10.0-11 Larry Wall's Practical Extraction ii perl-modules 5.10.0-11 Core Perl modules ii postfix [mail-transport-agent 2.5.2-1 High-performance mail transport ag ii schroot 1.2.1-1 Execute commands in a chroot envir Versions of packages sbuild recommends: ii debootstrap 1.0.10 Bootstrap a basic Debian system ii fakeroot 1.9.5 Gives a fake root environment Versions of packages sbuild suggests: ii deborphan 1.7.24 Find orphaned libraries ii wget 1.11.4-1 retrieves files from the web -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]