Hi cloud folks,
Quick advice-seeking email from me:
Google recently started signing the apt repository from which we serve certain packages used in the Google Compute Engine image build process (google-startup-scripts, google-compute-daemon, image-bundle, and recently also gcutil).
We do want to get these packages into Debian where appropriate so that the bulid can pull solely from the Debian archive, but adding an unknown GPG signature broke our current build. Doh! Thank you, Murphy's Law. :)
I think the best short-term way to allow properly authenticated builds is to put the Google apt repository's public key somewhere in the github tree, apt-key add it before we pull in our repository, but be sure to apt-key remove it when we remove our repository.
Does this sound sensible?
Again, none of this replaces the transition toward 100% Debian archive by default, just unbreaking the ability to build images now. (After that transition, we will probably have customers add our repository if they want the absolute latest bits from Google sooner than we can push them to sid and backports, but not as the official Debian default.)