Bug#338889: Overzealously prefers signed packages to identical unsigned ones
On Sun, Nov 13, 2005 at 04:37:15PM +0100, Andras Korn wrote:
> Package: apt
> Version: 0.6.42.3
> Severity: normal
Thanks for your bugreport.
> I have a local package repository that is pieced together from many
> different sources. I don't have a signed Release file (is there an easy way
> to generate one automatically?); I only generate my own Packages file.
It's a matter of runing apt-ftparchive and gpg, see apt-secure(8) for
a discussion.
> The patch to this local repository is listed first in my sources.list.
>
> Nevertheless, when apt-get needs to fetch packages, it ignores my local
> repository and downloads the exact same packages from the net instead,
> presumably because those repositories are signed. (But do correct me if I'm
> wrong.)
[..]
Yes, it's a feature of apt to prefer signed sources. But if you run it
with --allow-unauthenticated, it should behave exactly as the 0.5.x
versions. Can you please try/confirm this?
Cheers,
Michael
--
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo
Reply to: