Hi Fred, On 04.10.19 09:52, Fred Boiteux wrote: > Meanwhile, I've tried to understand what is going on : on my VM being installed, stuck because the standard 'locales' package can't be installed, as the given repository is not signed and then ignored, I've done this : I've connected to the VM with SSH, then I've done a 'chroot /target' to check what is going on. Trying to install the locales packages don't actually work : > > # apt-get install locales > Reading package lists... Done > Building dependency tree... Done > Package locales is not available, but is referred to by another package. > This may mean that the package is missing, has been obsoleted, or > is only available from another source > E: Package 'locales' has no installation candidate > > > Trying an apt update gives the same error message than in the previous log : > > # apt update > Ign:1 http://192.168.254.254/buster_debian_installer buster InRelease > Get:2 http://192.168.254.254/buster_debian_installer buster Release [33.5 kB] Ign:3 http://192.168.254.254/buster_debian_installer buster Release.gpg > Reading package lists... Done > E: The repository 'http://192.168.254.254/buster_debian_installer buster Release' is not signed. > N: Updating from such a repository can't be done securely, and is therefore disabled by default. > N: See apt-secure(8) manpage for repository creation and user configuration details. > > I've checked the apt config : > > # cat target/etc/apt/apt.conf.d/00AllowUnauthenticated > APT::Get::AllowUnauthenticated "true"; > Aptitude::CmdLine::Ignore-Trust-Violations "true"; > > > And looking (on a working Buster system) the apt-secure manual page suggest me to add following line in this conf file : > > Acquire::AllowInsecureRepositories "true"; > > > With this config item, the « apt update » runs well, the error message becomes a warning message : I think it would be better to sign your archive instead. With your modification you would completely disable checking GPG signatures for every repository (who checks warnings?) Sadly, the Debian wiki is full of outdated setups but I cannot find a stringent howto for setting up a trusted repo. Reprepro seem like a possible way to go. It overcomes another misfeature of these minimal repositories: You cannot pin packages to versions of this repository but have to set them on hold, else you always risk getting packages from Debian proper. My 2 cents Michael
Attachment:
signature.asc
Description: OpenPGP digital signature