[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: census: apt sources.list snippets

On Sun, May 29, 2011 at 06:44, Paul Wise <pabs@debian.org> wrote:
> I've written some scripts to download the census wiki pages, extract
> the sources.list snippets from them and run aptitude update against
> them.

I am completely biased, but as at least a few derivatives doesn't have
aptitude in the default installation the script should use 'apt-get update'
to lower the dependencies in case i would want to run it 'at home'.

> Some of the deb-src lines had [arch=i386] in them. I guess
> sources.list files are not well understood in the area of source
> packages, or something.

(As a side note, i am fascinated what lines are created and used
 just because the damn parser doesn't complain…)

> The scripts do not handle GPG stuff, which means that the end of the
> script gives GPG errors when it completes. Does anyone know how to
> disable signature checking?
> W: GPG error: http://aptosid.com sid InRelease: The following
> signatures couldn't be verified because the public key is not
> available: NO_PUBKEY 9FFAACBAE3BD538B

Currently you can't easily - beside installing the keyrings.
The warnings are harmless through, at install time apt will ask
for confirmation for these packages or you give --allow-unauthenticated

But if you really want to silence APT at this stage you can do this:

echo '#!/bin/sh
while [ -n "$1" ]; do
        if [ $(expr substr "$1" 1 11) = "--status-fd" ]; then
exit 0' > gpgv.sh
chmod +x gpgv.sh
apt-get update -o Dir::Bin::gpg=./gpgv.sh

This way every Release file is "magically" signed with a good signature -
at least that is what APT gets to know from our faked gpgv - and all
NO_PUBKEY warnings are gone.

Best regards

David Kalnischkies

P.S.: The "signature" key is the one used in APTs testcases so don't
worry that a real person could get offended by using this key for this trick.

Reply to: