Re: Blockers of apt 0.6, not related to signature verification
On Sat, Feb 19, 2005 at 04:56:10PM +0100, Florian Weimer wrote:
> * Michael Vogt:
> > There are (AFAIK) no patches for gnome-apt, so it won't know about
> > signed repositories. And everything that depends on libapt needs to be
> > recompiled because the ABI changes.
> And this makes things messy because we have to upload the affected
> packages at the same time to unstable (there is no libapt* library
> package, and they wouldn't help anyway if the cache file format is not
> compatible). I'm going to try to recompile further depedencies, but
> currently, I don't see this ABI transition as a major obstacle (I did
> when I first heard about it).
No, it shouldn't be a big deal. apt provides
"libapt-pkg-libc6.3-5-3.3" and everything that depends on libapt with
a new version will be temporary broken until it is recompiled.
There is another issue that just crossed my mind. All Release files
that have no gpg signature will be considered untrusted. That includes
the sarge cdroms as well. So it would be nice if the cdrom had a
signature file too so that there is no nasty "unauthenticated" prompt
when installing from cdrom. apt-secure had issues with cdroms but I
believe they are fixed in the arch tree now (or will be soon as
patches are floating around for it).
A problem may be that IIRC apt-secure will give quite a few warnings
even when run with "--allow-unauthenticated". It will warn about
missing pubkeys on update and about unauthenatenticated packages on
install. So having it with signature checking disabled by default is
not a very good option IMO (I heard rumors that this option was
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo