Packages built with unchecked dependencies
|
View:
New views
8 Messages
—
Rating Filter:
Alert me
|
 |
Packages built with unchecked dependencies
by Enrico Zini
::
Rate this Message:
Hello,
some time ago, I noticed that using the default pbuilder setup I was not checking signatures on build-dep packages when building my debian uploads [1] [2] [3]. I thought this was bad, and since then I pay attention to it. Now that I have LVM in my laptop and use schroot, I take care of building the chroots using "debootstrap --keyring=..." [4], which means that when I download build-deps inside the chroots, the build-deps get checked. Then I tried sbuild to build using my schroot setup, and found that by default it disables signature checking. So I stopped using sbuild until I find a way to reenable it. Then I had a look at some random buildd log[5]: WARNING: The following packages cannot be authenticated! x11-common libice6 libsm6 libxau6 libxdmcp6 libxcb1 libxcb-xlib0 libx11-data libx11-6 libxt6 apt-utils bsdmainutils groff-base libnewt0.52 libpopt0 man-db whiptail libmagic1 file gettext-base libidn11 html2text gettext intltool-debian po-debconf debhelper cdbs cmake defoma dh-buildinfo [...] Authentication warning overridden. [...] and found that not even our buildds check signatures, and since I understand that they don't always reside on the same network as the main ftp archive, nor they connect to it using some sort of VPN (correct me if I'm wrong), I worry that this means that they also buld packages using untrusted build-deps. Am I the only one that feels very, very uncomfortable about this? Ciao, Enrico [1] http://www.enricozini.org/2006/tips/trusted-pbuilder.html [2] http://wiki.debian.org/SecurePbuilder [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=317998 [4] http://www.enricozini.org/2008/tips/joys-of-schroot.html [5] http://buildd.debian.org/fetch.cgi?&pkg=libept&ver=0.5.21&arch=i386&stamp=1216774836&file=log -- GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@...> |
|
|
Re: Packages built with unchecked dependencies
by Brian May-11
::
Rate this Message:
|
|
|
Re: Packages built with unchecked dependencies
by Raphael Geissert
::
Rate this Message:
|
|
|
Re: Packages built with unchecked dependencies
by Peter Palfrader
::
Rate this Message:
|
|
|
Re: Packages built with unchecked dependencies
by Enrico Zini
::
Rate this Message:
On Fri, Jul 25, 2008 at 09:49:00AM +1000, Brian May wrote:
>> Am I the only one that feels very, very uncomfortable about this? > Yes. Errr... I mean... No! It also makes me uncomfortable too. If there > is some good reason, I don't know what it is. Even if the network path > was completely trusted, I can't think why signature checking should be > disabled. This is mentioned in the thread that Raphael Geisser points to in the other message: basically, the buildds skip signature checking because they also need to get packages from incoming, which are not in a signed repository. I'm following up to this in a reply to Raphael, though. > Anyway, I am lazy ;-). How did you reconfigure sbuild to enable > signature checking? It seems that you can't, in my version of sbuild, unless you patch the code. The code responsible for disabling signature checking is in /usr/share/perl5/Sbuild/Chroot.pm and it does not seem to allow any sort of customisation: sub _setup_options (\$\$) { [...] if (defined($info) && defined($info->{'Location'}) && -d $info->{'Location'}) { [...] my $aptconf = "/var/lib/sbuild/apt.conf"; [...] # Always write out apt.conf, because it may become outdated. if (my $F = new File::Temp( TEMPLATE => "$aptconf.XXXXXX", DIR => $self->get('Location'), UNLINK => 0) ) { print $F "APT::Get::AllowUnauthenticated true;\n"; print $F "APT::Install-Recommends false;\n"; if (! rename $F->filename, $chroot_aptconf) { die "Can't rename $F->filename to $chroot_aptconf: $!\n"; } } } else { die $self->get('Chroot ID') . " chroot does not exist\n"; } } > (On the topic of schroot and sbuild, I found this references useful; it > is getting dated now but some parts are still relevant: > <http://www.pseudorandom.co.uk/2007/sbuild/> > if only it mentioned what this "apt-get-update" program/script is) You can actually ignore that if you run something like this before you start doing your builds of the day: schroot -c sid-source -- sh -c "apt-get update; apt-get dist-upgrade; apt-get autoclean; apt-get clean" Ciao, Enrico -- GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@...> |
|
|
Re: Packages built with unchecked dependencies
by Enrico Zini
::
Rate this Message:
On Fri, Jul 25, 2008 at 10:57:40AM +0200, Peter Palfrader wrote:
> On Thu, 24 Jul 2008, Enrico Zini wrote: > > and found that not even our buildds check signatures > The reason they do this is that they build from incoming > (queue/accepted). And incoming is not signed. I asked Ryan and Joerg > if that could be changed a few weeks ago and they said they'd look into > it. Joerg mentioned something about doing it during debcamp. Oh thanks, lovely. I'm glad to hear something's moving: I feel a bit better now. Ciao, Enrico -- GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@...> |
|
|
Re: Packages built with unchecked dependencies
by Enrico Zini
::
Rate this Message:
On Fri, Jul 25, 2008 at 10:08:57AM +0100, Enrico Zini wrote:
> It seems that you can't, in my version of sbuild, unless you patch the > code. ...and if you want to patch the code, you can actually do it using the patch that I've just prepared and sent at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492327 Ciao, Enrico -- GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@...> |
|
|
Re: Packages built with unchecked dependencies
by Roger Leigh
::
Rate this Message:
|
signature.asc (196 bytes) | Free Forum Powered by Nabble | Forum Help |