From 1c4f1894cf6bd9be0d956f821c4fe6d14f76d26b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= <hertzog@debian.org>
Date: Fri, 1 Mar 2013 11:00:36 +0000
Subject: [PATCH] Use debootstrap --no-check-gpg by default since many local
 mirrors are not signed (such as temporary mirrors created by simple-cdd).

---
 CONF.sh          | 7 +++++++
 Makefile         | 7 ++++++-
 debian/changelog | 2 ++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/CONF.sh b/CONF.sh
index f2588b11..7db81014 100644
--- a/CONF.sh
+++ b/CONF.sh
@@ -50,6 +50,7 @@ unset OMIT_MANUAL	 || true
 unset OMIT_RELEASE_NOTES || true
 unset OMIT_DOC_TOOLS     || true
 unset MAX_PKG_SIZE       || true
+unset DEBOOTSTRAP_OPTS   || true
 
 # The debian-cd dir
 # Where I am (hoping I'm in the debian-cd dir)
@@ -178,6 +179,12 @@ export CONTRIB=1
 #export amd64_MKISOFS="xorriso"
 #export amd64_MKISOFS_OPTS="-as mkisofs -r -checksum_algorithm_iso md5,sha1"
 
+# By default we use debootstrap --no-check-gpg to find out the minimal set
+# of packages because there's no reason to not trust the local mirror. But
+# you can be paranoid and then you need to indicate the keyring to use to
+# validate the mirror.
+#export DEBOOTSTRAP_OPTS="--keyring /usr/share/keyrings/debian-archive-keyring.gpg"
+
 # ISOLinux support for multiboot on CD1 for i386
 export ISOLINUX=1
 
diff --git a/Makefile b/Makefile
index 62408297..875f16b7 100755
--- a/Makefile
+++ b/Makefile
@@ -56,6 +56,11 @@ endif
 ifneq (${ARCH_MKISOFS_OPTS},)
     MKISOFS_OPTS = ${ARCH_MKISOFS_OPTS}
 endif
+ifndef DEBOOTSTRAP_OPTS
+ifeq (yes,$(shell dpkg --compare-versions `dpkg-query -f'$${Version}' -W debootstrap` ge 1.0.30 && echo -n yes))
+DEBOOTSTRAP_OPTS=--no-check-gpg
+endif
+endif
 
 ## Internal variables  
 apt=$(BASEDIR)/tools/apt-selection
@@ -325,7 +330,7 @@ $(BDIR)/rawlist:
 				[ -z "$$BINCLUDE" ] || BINCLUDE="--include=$$BINCLUDE"; \
 				BEXCLUDE=`[ -n "$(BASE_EXCLUDE)" ] && cat $(BASE_EXCLUDE) | tr "\n" "," | sed 's!,$$!!g'`; \
 				[ -z "$$BEXCLUDE" ] || BEXCLUDE="--exclude=$$BEXCLUDE"; \
-				debootstrap --arch $$ARCH \
+				debootstrap $(DEBOOTSTRAP_OPTS) --arch $$ARCH \
 				            --print-debs \
 				            $$BINCLUDE $$BEXCLUDE \
 				            $(CODENAME) \
diff --git a/debian/changelog b/debian/changelog
index 5d8efbac..f8c76796 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -34,6 +34,8 @@ debian-cd (3.1.12) UNRELEASED; urgency=low
   * Add dosfstools to Recommends since it's required by
     tools/boot/wheezy/boot-x86 for EFI support. It can't be added to Depends
     because it's not available on non-Linux systems.
+  * Use debootstrap --no-check-gpg by default since many local mirrors
+    are not signed (such as temporary mirrors created by simple-cdd).
 
  -- Steve McIntyre <93sam@debian.org>  Wed, 26 Sep 2012 01:09:13 +0100