Re: mini-dinstall, repository signing and apt-get authentication

To: "Ian Zimmerman" <itz@madbat.mine.nu>
Cc: debian-mentors@lists.debian.org
Subject: Re: mini-dinstall, repository signing and apt-get authentication
From: "Cameron Dale" <camrdale@gmail.com>
Date: Wed, 1 Aug 2007 00:53:43 -0700
Message-id: <[🔎] f4438a6a0708010053v2131df62w8235afe37c355606@mail.gmail.com>
In-reply-to: <87abtc8ysz.fsf@unicorn.ahiker.homeip.net>
References: <44CA6FEC.5060004@codehelp.co.uk> <87abtc8ysz.fsf@unicorn.ahiker.homeip.net>

On 31 Jul 2007 09:53:16 -0400, Ian Zimmerman <itz@madbat.mine.nu> wrote:
> Let me describe my situation: I have a flat (single directory) archive
> of personal debs.  I see absolutely no point in maintaining "code names"
> and "suites" and what not.  So I put the debs into /var/local/debian
> (which apache aliases to /debian/) on my.server.com, and in the clients'
> sources.list I put
>
> deb http://my.server.com/debian/ ./
>
> I generate the Packages.gz file by
>
> cd /var/local/debian && apt-ftparchive packages ./ | gzip - > Packages.gz

After looking at your repository, I have determined that this is where
the problem occurs. You need to also generate a Packages file
(uncompressed). You still need the Packages.gz file though, as apt
only wants to download that one. So, changing the command to:

cd /var/local/debian && \
    apt-ftparchive packages ./ > Packages && \
    gzip -c Packages > Packages.gz

should work to create both files. (It's worth noting that you could
probably create an apt-ftparchive config file, and then creating both
Packages files and the Release file would only involve one invocation
of "apt-ftparchive generate".)

> and the Release file by
>
> cd /var/local/debian && apt-ftparchive release ./ > /tmp/Release && mv /tmp/Release .
>
> Followed by apt-get update on the clients of course.
>
> All this works flawlessly until I introduce signing.  As soon as I add a Release.gpg
> file (generated by cd /var/local/debian && gpg -abs -o Release.gpg Release)
> apt-get starts giving me the above error message.  Now the wording made me think
> that perhaps perhaps I should NOT compress the Packages file, so I tried to omit
> the gzip step above.  But then apt-get complains it cannot retrieve Packages file!

It also works fine if you don't have the key in the apt secure key
ring. I'm not sure why this is, but adding a successful key check
seems to create this problem. There's almost certainly a bug in apt
somewhere here, or maybe a couple, since I don't think apt should
require a Packages file when it has no intention of downloading it.

Cameron

Reply to:

Follow-Ups:
- Re: mini-dinstall, repository signing and apt-get authentication
  - From: Ian Zimmerman <itz@madbat.mine.nu>

Prev by Date: RFS: chmsee
Next by Date: Re: Sponsor Checklist
Previous by thread: Re: RFS: chmsee
Next by thread: Re: mini-dinstall, repository signing and apt-get authentication
Index(es):
- Date
- Thread