Re: Re: Re: Trouble with upgrading debian 7 (wheezy) (solved)
Hello,
On Wed, Sep 02, 2020 at 12:43:35PM -0500, R. Ramesh wrote:
> My only wish is apt is updated to say something about the fact
> that this is unsupported and users are on their own, but still
> provide the download/install without we having to manually
> intervene.
I think¹ that there are two distinct things here:
1) The Debian Project's apt repositories and archives.
2) The software packages "apt" and "apt-get", designed for
interacting with an apt archive.
It is my understanding that:
- The Debian Project has chosen to use key expiry as an indication
(or one of the indications) that a particular distribution in its
repository is no longer maintained.
- The "apt" commands interpret an expired key as a repository that
should not be used without manual intervention.
So in effect allowing the key to expire *is* the message that you
are looking for, and having to force apt to ignore that can provide
a download, albeit with manual intervention necessary.
Apparently with an apt from stretch onwards you can configure
Check-Valid-Until in the actual sources file itself, so when stretch
is archived it could be referred to like this:
deb [check-valid-until=no] http://archive.debian.org/debian/ stretch main
in /etc/apt/sources.list or a snippet inside
/etc/apt/sources.list.d/. That would disable the expired key check
for just the archived stretch and not every repository you have
configured, with no command line override required.
Something I am not sure of: The key signs the repository's Release
file, and the Release file contains (amongst other things) checksums
for the index files. The index files contain hashes of all the
actual files, so you need a valid Release file to ensure integrity
of indices which then ensure integrity of actual packages. If one
forces apt to accept a Release file whose signing key has expired,
does apt still check the hashes in the indices that the Release file
references in order to ensure integrity of the files that are
downloaded? That is, will disabling Check-Valid-Until also disable
file integrity checks?
There is more in man page apt-secure about what security things
can be overridden.
https://manpages.debian.org/buster/apt/apt-secure.8.en.html
Cheers,
Andy
¹ and I could well be wrong, since I am only a user of Debian, not a
Developer or contributor to apt.
--
https://bitfolk.com/ -- No-nonsense VPS hosting
> I'd be interested to hear any (even two word) reviews of their sofas…
Provides seating. — Andy Davidson
Reply to: