Re: Compatibility of security mirror

[Russ Allbery <rra@debian.org>]

Lee Winter <lee.j.i.winter@gmail.com> writes:
> Goswin von Brederlow <goswin-v-b@web.de> wrote:

>> This has one minor drawback though: The combined apt repository will be
>> unsigned (you do not want to do that) or signed by a local key.

> Why is that?

Because the package lists from the two separate repositories are
independently signed, and since you don't have access to the signing key,
there's no way to combine them into a single package list and still have a
valid signature without changing keys.

> Right now the client's need three entries for lenny, security, and
> volatile as if they came from separate mirrors.  I would like to keep
> the repositories independent but have one "debian" section in
> sources.list.  Is that not possible?

There's a one-to-one correspondance between an entry in sources.list and
the metadata that apt expects to find in the repository, which in turn is
signed.  You would have to combine the metadata in order to combine the
sources.list lines, which would then require resigning the metadata.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>