Re: mini-dinstall, repository signing and apt-get authentication

To: debian-mentors@lists.debian.org
Subject: Re: mini-dinstall, repository signing and apt-get authentication
From: Daniel Leidert <daniel.leidert.spam@gmx.net>
Date: Wed, 01 Aug 2007 16:15:30 +0200
Message-id: <[🔎] 1185977730.7340.118.camel@localhost>
In-reply-to: <87abtc8ysz.fsf@unicorn.ahiker.homeip.net>
References: <87abtc8ysz.fsf@unicorn.ahiker.homeip.net>

Am Dienstag, den 31.07.2007, 09:53 -0400 schrieb Ian Zimmerman:

[..]
> Neil> I get:
> Neil> Failed to fetch
> Neil> http://www.linux.codehelp.co.uk/packages/unstable/amd64/Release  
> Neil> Unable to find expected entry  Packages in Meta-index file (malformed Release file?)
> 
> And this is my main question: have you figured out what causes this error?
> I am pretty much in banging-head-against-wall mode now.
[..]
> and the Release file by
> 
> cd /var/local/debian && apt-ftparchive release ./ > /tmp/Release && mv /tmp/Release .

Hm. The release files will not contain much information except the Date
and the hash-sums. Am I wrong?

> Followed by apt-get update on the clients of course.
> 
> All this works flawlessly until I introduce signing.  As soon as I add a Release.gpg
> file (generated by cd /var/local/debian && gpg -abs -o Release.gpg Release)
> apt-get starts giving me the above error message.  Now the wording made me think
> that perhaps perhaps I should NOT compress the Packages file, so I tried to omit
> the gzip step above.  But then apt-get complains it cannot retrieve Packages file!

IIRC there was some requirement. IIRC you need Packages, Packages.gz
(and maybe Packages.bz2) at creation time of the Release file and only
after creating this file, you can remove those you don't need/want to
offer (e.g. Packages and Packages.bz2). IIRC there is some limitation of
this kind - however, I'm not sure about the correct wording. Maybe
that's the reason, why you get the error.

> <rant>
> It seems the security layer of apt was a quick hack which introduced this sort
> of confusion, instead of the thoughtful redesign it needed.
> </rant>

You have many choices besides mini-dinstall:
http://wiki.debian.org/HowToSetupADebianRepository, which work well for
secure-apt. I guess, most of them are better suited for your purpose
than mini-dinstall is. I personally use debarchiver on my server via scp
(dput). And I only need to login, if I want to remove something from the
repository. I also heard about reprepro being used on remote servers.

Regards, Daniel

Reply to:

Prev by Date: Re: [help] Merging tag and trunk in a SVN repository.
Next by Date: Re: RFS: plastex
Previous by thread: Re: mini-dinstall, repository signing and apt-get authentication
Next by thread: Re: RFS: plastex
Index(es):
- Date
- Thread