apt 0.6 in experimental

[Matt Zimmerman <mdz@debian.org>]

This branch of apt represents a first pass at merging "apt-secure" into apt
proper.  Other new features are planned, but this is the first.  I would
very much appreciate if folks would upgrade to this version of apt and help
to test it.  It should be available within the next day or so from a Debian
mirror near you.

No extra effort should be required on your part unless you use non-Debian
sources, in which case an extra confirmation step will be required by
apt-get, and you should nag the operator to provide Release and Release.gpg
files.  apt 0.5.17 and later, and apt 0.6.1 and later, have an
apt-ftparchive tool which is capable of generating Release files.
Release.gpg is simply a detached signature of Release, so the procedure
would go something like this:

rm -f dists/unstable/Release
apt-ftparchive release dists/unstable > dists/unstable/Release
gpg --sign -ba -o dists/unstable/Release.gpg dists/unstable/Release

apt-key(1) is available for adding new keys to apt's keyring, which by
default includes only the current Debian archive signing key.

For your convenience, a corresponding build of python-apt is also in
experimental.  I have copied the maintainers of the various
libapt-pkg-dependent packages in the hopes that they will provide binaries
built against apt 0.6 for experimental.  If any of you are unable to do
this, let me know what version number scheme I should use, and I can do the
recompiles for you.

Once you have experimental in your sources.list, do this:

apt-get -t experimental install apt

and let me know how it goes.  If you see something that you think is a bug,
please THINK before filing a bug, and consider sending an email first.  Also
make sure that you have the most recent version from experimental.  If you
are absolutely sure that you have found a bug (for example, if you are
running the latest version and you have read this thread in its entirety and
apt is segfaulting), use the 'experimental' tag when filing it.

The relevant changelog excerpt is:

apt (0.6.1) experimental; urgency=low

  * Merge apt 0.5.17
  * Rearrange Release file authentication code to be more clear
  * If Release is present, but Release.gpg is not, don't forget to still
    queue Packages files
  * Convert distribution "../project/experimental" to "experimental" for
    comparison purposes
  * Make a number of Release file errors into warnings; for now, it is OK
    not to have a codename, for example.  We mostly care about checksums
    for now

 -- Matt Zimmerman <mdz@debian.org>  Fri, 26 Dec 2003 15:12:47 -0800

apt (0.6.0) experimental; urgency=low

  * Signature verification support patch ("apt-secure") from Colin Walters
    <walters@debian.org> and Isaac Jones <ijones@syntaxpolice.org>.  This
    implements:
     - Release signature verification (Release.gpg)
     - Packages, Sources md5sum verification against Release
     - Closes: #203741
  * Make some modifications to signature verification support:
    - Release.gpg is always retrieved and verified if present, rather than
      requiring that sources be configured as secure
    - Print a hint about installing gnupg if exec(gpgv) fails
    - Remove obsolete pkgAcqIndexRel
    - Move vendors.list stuff into a separate module (vendorlist.{h,cc})
    - If any files about to be retrieved are not authenticated, issue a
      warning to the user and require confirmation
    - Fix a heap corruption bug in pkgSrcRecords::pkgSrcRecords()
  * Suggests: gnupg
  * Install a keyring in /usr/share/apt/debian-archive.gpg containing an
    initial set of Debian archive signing keys to seed /etc/apt/trusted.gpg
  * Add a new tool, apt-key(8) used to manage the keyring

 -- Matt Zimmerman <mdz@debian.org>  Fri, 26 Dec 2003 08:27:19 -0800

-- 
 - mdz