On Fri, Jul 25, 2008 at 12:00:41PM +0100, Roger Leigh wrote: > There was also originally some concern that having signature-checking > tools inside a "minimal" chroot was not appropriate; I'm not sure if > this is still seen as a concern.
I would think that just having apt inside the chroot brings in all signature checking tools, but honestly I didn't verify. > > I'd say however that once the feature is implemented it should be > > enabled by default: it's supposed to be getting quite easy to attack > > random DDs' DNSes and hijack their debian mirrors. > Agreed. I'll be happy to remove the hard-coding and make it > configurable. I'm quite short of time ATM, so a patch would make it > much quicker. Done: the patch is already in the BTS. > The sbuild-createchroot script should ideally also set up the chroot > with the correct signatures in order to validate the mirror. I'm not > too familiar with this part, so if it's possible to automate apt-key > usage as part of the debootstrap part, that would be great. You just run debootstrap or cdebootstrap with --keyring=/etc/apt/trusted.gpg I've documented the procedure for pbuilder here: http://www.enricozini.org/2006/tips/trusted-pbuilder.html there's also some more discussion here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=317998 Ciao, Enrico -- GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <[EMAIL PROTECTED]>
signature.asc
Description: Digital signature