Re: Compatibility of security mirror
On Wed, Sep 16, 2009 at 3:54 PM, Russ Allbery <rra@debian.org> wrote:
> Lee Winter <lee.j.i.winter@gmail.com> writes:
>> Goswin von Brederlow <goswin-v-b@web.de> wrote:
>
>>> This has one minor drawback though: The combined apt repository will be
>>> unsigned (you do not want to do that) or signed by a local key.
>
>> Why is that?
>
> Because the package lists from the two separate repositories are
> independently signed, and since you don't have access to the signing key,
> there's no way to combine them into a single package list and still have a
> valid signature without changing keys.
>
>> Right now the client's need three entries for lenny, security, and
>> volatile as if they came from separate mirrors. I would like to keep
>> the repositories independent but have one "debian" section in
>> sources.list. Is that not possible?
>
> There's a one-to-one correspondance between an entry in sources.list and
> the metadata that apt expects to find in the repository, which in turn is
> signed. You would have to combine the metadata in order to combine the
> sources.list lines, which would then require resigning the metadata.
OK, this is where it starts to get interesting. I didn't see much
more than passing references to this in the apt doc. Did I miss it or
are there other docs that describe the repository structure? Should I
be looking at the doc about creating packages or for creating
releases?
BTW, thanks for the clear/concise response.
Lee Winter
NP Engineering
Nashua, New Hampsire
Reply to: