aptitude: untrusted packages
Aptitude gave me a rather unexpected message today.
$ aptitude -s upgrade
WARNING: untrusted versions of the following packages will be installed!
Untrusted packages could compromise your system's security.
You should only proceed with the installation if you are certain that
this is what you want to do.
Do you want to ignore this warning and proceed anyway?
To continue, enter "Yes"; to abort, enter "No":
$ apt-cache policy yaird
900 http://ftp.nl.debian.org sid/main Packages
700 http://debian.jones.dk sid/misc Packages
*** 0.0.11-10 0
890 http://ftp.nl.debian.org etch/main Packages
I know that the message is a result of not having the gpg key for
debian.jones.dk in my keyring, but I'm not trying to install the
version from debian.jones.dk.
I don't have the key in my keyring because I don't trust the packages
there. I want to be notified when trying to install one of them.
When I answer yes to the question above, aptitude will get the
(trusted) package from ftp.nl.debian.org. So why does it warn me about
untrusted packages? I want to be able to install yaird (from the
normal repositories) without this warning. Only when a package will
actually be retreived from an untrusted source should aptitude warn
Does anyone know what to do about this, or should I consider this a
bug and file a report?
Felix C. Stegerman <email@example.com>
"Any sufficiently advanced bug is indistinguishable from a feature."
-- R. Kulawiec