Debian
openerp package

Debian packages are not signed

Bug #1186792 reported by Michael Tänzer
44
This bug affects 10 people
Affects Status Importance Assigned to Milestone
Odoo Server (MOVED TO GITHUB)
New
Undecided
Unassigned
openerp (Debian)
New
Undecided
Unassigned

Bug Description

The Debian packages for OpenERP 7.0 provided at http://nightly.openerp.com/7.0/nightly/deb/ are not signed. Signing these would be a vital feature of the deployment process of such a business critical software as an ERP system so I can verify that I'm updating a real OpenERP package and not something a bad guy has provided.

All you need is to generate a GPG key and set a few command line options in the release process to make me and probably some other admins sleep better at night.

Ondra Knezour (knezour)
tags: added: debian gpg installation security
Revision history for this message
Martin Burger (q8q6cw5f-8-ks2gs09p) wrote :

This is very annoying as it breaks our automated updated process - aptitude each time asks whether I want to ignore the warning on the untrusted package:

WARNING: untrusted versions of the following packages will be installed!

Untrusted packages could compromise your system's security.
You should only proceed with the installation if you are certain that
this is what you want to do.

  openerp

Do you want to ignore this warning and proceed anyway?
To continue, enter "Yes"; to abort, enter "No": yes

Revision history for this message
Alexandre Fayolle - camptocamp (alexandre-fayolle-c2c) wrote :

just to clarify a bit, the release file of the repository needs to be signed, not the packages themselves.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.