Hi Ansgar, On Sun, 06 Mar 2016 13:25:21 +0100 Ansgar Burchardt <ans...@debian.org> wrote: > sbuild --build-dep-resolver=aptitude will install packages from > untrusted sources.
I cannot reproduce your findings. I created a directory on my host with the sbuild packages from experimental, ran: $ dpkg-scanpackages . /dev/null > Packages $ apt-ftparchive release . > Release Then served that directory via http: $ python -m SimpleHTTPServer 8000 And then crafted a dummy source package with: Build-Depends: debhelper, sbuild (= 0.68.0-1.0~exp1), libsbuild-perl (= 0.68.0-1.0~exp1) Then I run: sbuild --extra-repository="deb http://127.0.0.1:8000/ ./" --build-dep-resolver=aptitude And I get: The following NEW packages will be installed: apt-utils{a} autotools-dev{a} bsdmainutils{a} dctrl-tools{a} debhelper{a} devscripts{a} dh-python{a} dh-strip-nondeterminism{a} file{a} gettext{a} gettext-base{a} groff-base{a} intltool-debian{a} libapt-inst2.0{a} libarchive-zip-perl{a} libboost-program-options1.58.0{a} libbsd0{a} libclass-data-inheritable-perl{a} libcroco3{a} libdevel-stacktrace-perl{a} libemail-date-format-perl{a} libexception-class-perl{a} libexpat1{a} libffi6{a} libfile-stripnondeterminism-perl{a} libfilesys-df-perl{a} libglib2.0-0{a} libicu55{a} libio-socket-ssl-perl{a} libmagic1{a} libmailtools-perl{a} libmime-lite-perl{a} libmpdec2{a} libnet-smtp-ssl-perl{a} libnet-ssleay-perl{a} libpipeline1{a} libpython3-stdlib{a} libpython3.5-minimal{a} libpython3.5-stdlib{a} libsbuild-perl{a} libssl1.0.2{a} libtimedate-perl{a} libunistring0{a} libxml2{a} man-db{a} mime-support{a} netbase{a} po-debconf{a} python3{a} python3-minimal{a} python3.5{a} python3.5-minimal{a} sbuild{a} sbuild-build-depends-testpkg-dummy schroot{a} schroot-common{a} The following packages are RECOMMENDED but will NOT be installed: at citadel-mta courier-mta curl debian-keyring debootstrap dma dput dput-ng dupload equivs esmtp-run exim4 exim4-daemon-heavy exim4-daemon-light ifupdown ifupdown2 libauthen-sasl-perl libdistro-info-perl libencode-locale-perl libglib2.0-data liblwp-protocol-https-perl libmail-sendmail-perl libmime-types-perl libnet-idn-encode-perl libnet-libidn-perl libsoap-lite-perl liburi-perl libwww-perl lintian lynx-cur masqmail msmtp-mta netscript-2.4 nullmailer opensmtpd patchutils postfix python3-debian python3-magic qmail-run sendmail-bin shared-mime-info ssmtp strace unzip wdiff wget xdg-user-dirs xml-core 0 packages upgraded, 56 newly installed, 0 to remove and 0 not upgraded. Need to get 27.7 MB/27.7 MB of archives. After unpacking 100 MB will be used. WARNING: untrusted versions of the following packages will be installed! Untrusted packages could compromise your system's security. You should only proceed with the installation if you are certain that this is what you want to do. libsbuild-perl http://127.0.0.1:8000/./libsbuild-perl_0.68.0-1.0~exp1_all.deb sbuild http://127.0.0.1:8000/./sbuild_0.68.0-1.0~exp1_all.deb Do you want to ignore this warning and proceed anyway? To continue, enter "yes"; to abort, enter "no": Abort. Not removing installed packages: cloned chroot in use +------------------------------------------------------------------------------+ | Cleanup | +------------------------------------------------------------------------------+ Purging /<<BUILDDIR>> Not cleaning session: cloned chroot in use E: Package build dependencies not satisfied; skipping So aptitude is indeed aborting the installation as expected. The situation doesn't change when I sign the Release file with my own key either. Can you give me more detailed steps of how to reproduce the effect you see? Thanks! cheers, josch
signature.asc
Description: signature