Package: debian-installer Version: 20090123lenny8 Severity: important Hi, I'm filing this against debian-installer in the hope that you'll reassign it to the right d-i component. Ben Hutchings reported today that older Lenny CDs (without the update to debian-archive-keyring) do not actually install anymore. I've confirmed this with a 5.0.0 disc. What happens is that if you allow it to connect to a mirror (which is the suggested default), it will update the package lists, apt will warn about security being untrusted and the upgrade of the just-installed base system will hang in "Select and install software". Actually what happens is that apt wants to upgrade the kernel from security, which is untrusted and apt is pulling up a question that's displayed on tty4 but neither exposed to the UI nor answered by d-i itself. So what should happen in this case: If you can connect to a mirror and have a trust path to it, check if a new version of debian-archive-keyring is available. If so, upgrade it and update the package lists. Only then try to connect to security. The trust path to the main mirror will be the stable release key that's fixed for the whole stable release lifetime. In this specific instance the archive key on security will be switched back to the old key[0]. However, if a key rollover is needed or if the key's expired (which it didn't yet in this case), then we'd have the same problem again. I did not check what the current d-i behaviour is, hence I filed it against the Lenny version. But I'm sure that the maintainer of the component responsible will know what happens in case of untrusted packages being proposed for installation. Kind regards and thanks for considering this Philipp Kern [0] http://lists.debian.org/debian-devel/2011/03/msg00976.html
Attachment:
signature.asc
Description: Digital signature