live-build

History

Lyndon Brown 1edc3af346 debootstrap: use --force-check-gpg I asked for such a switch to be added in debootstrap back at the start of 2015 in #775454 as part of a review I undertook of its security. A slightly modified patch was merged a few months later and made it into version 1.0.69. A patch was never merged into live-build to make use of it however. Let's do that now. The benefit of this, as explained in #775454, is that if we want strong security (LB_APT_SECURE=true) then should debootstrap not be able to find the GPG key to verify things with, it will abort with an error instead of falling back to just https downloads with a warning. Such a warning would be easy to miss in the log output, and security could potentially be compromised if this were to happen. Gbp-Dch: Short	2020-03-12 14:44:49 +00:00
..
build	debootstrap: use --force-check-gpg	2020-03-12 14:44:49 +00:00
build.sh	amend copyright & licensing blocks	2020-03-11 13:51:19 +00:00

Lyndon Brown 1edc3af346 debootstrap: use --force-check-gpg

I asked for such a switch to be added in debootstrap back at the start of
2015 in #775454 as part of a review I undertook of its security. A slightly
modified patch was merged a few months later and made it into version
1.0.69.

A patch was never merged into live-build to make use of it however. Let's
do that now.

The benefit of this, as explained in #775454, is that if we want strong
security (LB_APT_SECURE=true) then should debootstrap not be able to find
the GPG key to verify things with, it will abort with an error instead of
falling back to just https downloads with a warning. Such a warning would
be easy to miss in the log output, and security could potentially be
compromised if this were to happen.

Gbp-Dch: Short

2020-03-12 14:44:49 +00:00

build

debootstrap: use --force-check-gpg

2020-03-12 14:44:49 +00:00

build.sh

amend copyright & licensing blocks

2020-03-11 13:51:19 +00:00