Bug#419211: d-i fails in fetching "Release.gpg" in netboot install of etch r0

[Steve Langasek <vorlon@debian.org>]

On Sat, Apr 14, 2007 at 05:31:14PM +0530, nitesh wrote:
> Comments/Problems: The d-i says it fails to download a valid Release.gpg
> file from the mirror specified.

> I am installing the Debian etch 4.0 r0 onto HP machines through network
> install (PXE boot with DHCP/tftp).
> Everything goes alright until it (netboot d-i) tries to fetch the
> "Release.gpg" file from the mirror which is just
> another machine running sarge in a LAN. In reality, the ISO (DVD) that I
> have mounted at the HTTP mirror does not have any "Release.gpg" file in the
> specified directory.

Yes, the DVD images don't include a Release.gpg file because they are
primarily intended to be used as local media, not as network repositories;
and they are generated in a process that, AIUI, does not realistically
permit them to be signed by a key as secure as the one used for signing the
stable archive.  So there simply is no trust path to these CD images across
the network, and it's appropriate for the installer to abort rather than to
blindly trust an archive that hasn't been cryptographically secured.

Of course, while this is the correct default behavior, it seems reasonable
to me that we should allow users to override it with preseeding or the like,
so that's IMHO a valid wishlist request.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/