Bug#892803: di-netboot-assistant: unsigned daily images
Package: di-netboot-assistant
Version: 0.51
Severity: minor
When attempting to install a daily image I get the following
========================================================================
# di-netboot-assistant install daily --arch=amd64
I: Processing daily/amd64.
I: Downloading 'SHA256SUMS'.
E: Could not download
'https://d-i.debian.org/daily-images/amd64/daily/../../../../Release'
and/or 'Release.gpg'.
* * * * * * * * * * * * WARNING * * * * * * * * * * * * *
* *
* Could not verify/find the signature of the release. *
* *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Download and install the image anyway? [y|N]:
========================================================================
In the package provided di-sources.list file, in the daily section,
there are the following comments,
## Daily netboot DI images (not signed?!?). Read:
# https://d-i.debian.org/daily-images/build-logs.html
# http://wiki.debian.org/DebianInstaller/Today
which is a hint that this is likely to fail.
It would be nice if the d-i daily's were signed, even if they had to use
a different key that I would then need to install on the system so that
this di-netboot-assistant check could use. Is there already a bug open
requesting daily image signing? If not then maybe this one can be cloned
and reassigned to the right place.
But until something like that is possible I suggest a couple things:
* add something to the error message detecting when installing daily and
explaining it's known that daily images currently aren't signed
* add some sort of override option for daily images to skip the check,
printing a warning. This would allow for calling di-netboot-assistant
from other tools (scripts, puppet, etc)
* update the comments in di-sources.list explaining dailys aren't signed
and will result in the warning prompt
* the 'Today' URL in the comments no longer exists, I couldn't find a
good replacement
--
Matt Taggart
matt@lackof.org
Reply to: