Hi Ansgar, On Sun, 06 Mar 2016 13:25:21 +0100 Ansgar Burchardt <ans...@debian.org> wrote: > sbuild --build-dep-resolver=aptitude will install packages from > untrusted sources.
I cannot reproduce your findings.
I created a directory on my host with the sbuild packages from experimental,
ran:
$ dpkg-scanpackages . /dev/null > Packages
$ apt-ftparchive release . > Release
Then served that directory via http:
$ python -m SimpleHTTPServer 8000
And then crafted a dummy source package with:
Build-Depends: debhelper, sbuild (= 0.68.0-1.0~exp1), libsbuild-perl (=
0.68.0-1.0~exp1)
Then I run:
sbuild --extra-repository="deb http://127.0.0.1:8000/ ./"
--build-dep-resolver=aptitude
And I get:
The following NEW packages will be installed:
apt-utils{a} autotools-dev{a} bsdmainutils{a} dctrl-tools{a}
debhelper{a} devscripts{a} dh-python{a} dh-strip-nondeterminism{a} file{a}
gettext{a} gettext-base{a} groff-base{a} intltool-debian{a} libapt-inst2.0{a}
libarchive-zip-perl{a} libboost-program-options1.58.0{a} libbsd0{a}
libclass-data-inheritable-perl{a} libcroco3{a} libdevel-stacktrace-perl{a}
libemail-date-format-perl{a} libexception-class-perl{a} libexpat1{a} libffi6{a}
libfile-stripnondeterminism-perl{a} libfilesys-df-perl{a} libglib2.0-0{a}
libicu55{a} libio-socket-ssl-perl{a} libmagic1{a} libmailtools-perl{a}
libmime-lite-perl{a} libmpdec2{a} libnet-smtp-ssl-perl{a} libnet-ssleay-perl{a}
libpipeline1{a} libpython3-stdlib{a} libpython3.5-minimal{a}
libpython3.5-stdlib{a} libsbuild-perl{a} libssl1.0.2{a} libtimedate-perl{a}
libunistring0{a} libxml2{a} man-db{a} mime-support{a} netbase{a} po-debconf{a}
python3{a} python3-minimal{a} python3.5{a} python3.5-minimal{a} sbuild{a}
sbuild-build-depends-testpkg-dummy schroot{a} schroot-common{a}
The following packages are RECOMMENDED but will NOT be installed:
at citadel-mta courier-mta curl debian-keyring debootstrap dma dput
dput-ng dupload equivs esmtp-run exim4 exim4-daemon-heavy exim4-daemon-light
ifupdown ifupdown2 libauthen-sasl-perl libdistro-info-perl
libencode-locale-perl libglib2.0-data liblwp-protocol-https-perl
libmail-sendmail-perl libmime-types-perl libnet-idn-encode-perl
libnet-libidn-perl libsoap-lite-perl liburi-perl libwww-perl lintian lynx-cur
masqmail msmtp-mta netscript-2.4 nullmailer opensmtpd patchutils postfix
python3-debian python3-magic qmail-run sendmail-bin shared-mime-info ssmtp
strace unzip wdiff wget xdg-user-dirs xml-core
0 packages upgraded, 56 newly installed, 0 to remove and 0 not upgraded.
Need to get 27.7 MB/27.7 MB of archives. After unpacking 100 MB will be
used.
WARNING: untrusted versions of the following packages will be installed!
Untrusted packages could compromise your system's security.
You should only proceed with the installation if you are certain that
this is what you want to do.
libsbuild-perl
http://127.0.0.1:8000/./libsbuild-perl_0.68.0-1.0~exp1_all.deb
sbuild http://127.0.0.1:8000/./sbuild_0.68.0-1.0~exp1_all.deb
Do you want to ignore this warning and proceed anyway?
To continue, enter "yes"; to abort, enter "no": Abort.
Not removing installed packages: cloned chroot in use
+------------------------------------------------------------------------------+
| Cleanup
|
+------------------------------------------------------------------------------+
Purging /<<BUILDDIR>>
Not cleaning session: cloned chroot in use
E: Package build dependencies not satisfied; skipping
So aptitude is indeed aborting the installation as expected. The situation
doesn't change when I sign the Release file with my own key either.
Can you give me more detailed steps of how to reproduce the effect you see?
Thanks!
cheers, josch
signature.asc
Description: signature
