Re: apt 0.6 in experimental

[Matt Zimmerman <mdz@debian.org>]

On Sat, Dec 27, 2003 at 02:11:01AM -0500, Joey Hess wrote:

> Matt Zimmerman wrote:
> > apt-get -t experimental install apt
> > 
> > and let me know how it goes.
> 
> Aside from losing aptitude, it was a painless upgrade.
> 
> W: GPG error: http://non-US.debian.org unstable/non-US Release: The
> following signatures couldn't be verified because the public key is not
> available: NO_PUBKEY B629A24C38C6029A
> 
> Isn't there a key for that one? Oh well, I had been meaning to stop
> tracking non-us anyway.

That key is "Debian Archive Automatic Signing Key (2003)
<ftpmaster@debian.org>" which I thought was supposed to be revoked due to
the compromise.

> > No extra effort should be required on your part unless you use non-Debian
> > sources, in which case an extra confirmation step will be required by
> > apt-get, and you should nag the operator to provide Release and Release.gpg
> > files. 
> 
> I was expecting to see apt-get update whine about my extra-debian
> sources, which lack Release files altogether, and am suprised that it
> seemed to simply ignore the lack of Release files and signatures with
> no warnings:

If you're comparing it to apt-secure, the interface has changed a bit (see
the changelog).  Rather than requiring you to declare sources as
authenticated or not, it keeps track of which sources it was able to
authenticate with a trusted key, and warns you if you are about to install a
package from one of the unauthenticated sources.  This provides a smoother
transition.

-- 
 - mdz