Re: unsigned repositories
On Mon, 29 Jul 2019 at 00:17:17 +0000, Thorsten Glaser wrote:
> echo "deb [trusted=yes] file://$base ./" >"/etc/apt/sources.list.d/$this.list"
sbuild and autopkgtest (and probably other build/CI tools) also rely on
being able to inject local packages into a build/test environment using a
[trusted=yes] apt repository.
Older versions of both sbuild and autopkgtest set up a temporary GPG key,
signed the repository and marked the GPG key as trusted, but this was slow
(particularly because it consumed entropy from /dev/random) and not very
robust. Newer versions mark an unsigned repository as [trusted=yes] instead
and are faster and more reliable as a result.
Both sbuild and autopkgtest are designed to target multiple Debian releases
including the oldest release that still attracts uploads (currently jessie,
for LTS), so relying on "apt-get install --with-source" is undesirable.
sbuild also uses aptitude instead of apt (for its more-backports-friendly
resolver) in some configurations, and that doesn't have --with-source.
smcv
Reply to: