Bug#338889: Overzealously prefers signed packages to identical unsigned ones
Michael Vogt <mvogt@acm.org> writes:
> On Sun, Nov 13, 2005 at 04:37:15PM +0100, Andras Korn wrote:
>> Package: apt
>> Version: 0.6.42.3
>> Severity: normal
>
> Thanks for your bugreport.
>
>> I have a local package repository that is pieced together from many
>> different sources. I don't have a signed Release file (is there an easy way
>> to generate one automatically?); I only generate my own Packages file.
>
> It's a matter of runing apt-ftparchive and gpg, see apt-secure(8) for
> a discussion.
I can't resist suggesting reprepro again. :) It is just born to do
exactly that (a local package repository that is pieced together from
many different sources). I piece together my own archive from
ftp.de.debian.org (source+i386), amd64.debian.net (source+amd64),
security.debian.org (source+i386+amd64) as well all locally build,
backported and patched packages.
>> The patch to this local repository is listed first in my sources.list.
>>
>> Nevertheless, when apt-get needs to fetch packages, it ignores my local
>> repository and downloads the exact same packages from the net instead,
>> presumably because those repositories are signed. (But do correct me if I'm
>> wrong.)
> [..]
>
> Yes, it's a feature of apt to prefer signed sources. But if you run it
> with --allow-unauthenticated, it should behave exactly as the 0.5.x
> versions. Can you please try/confirm this?
There is also a patch from me in the BTS that allows a vendor tag of
[TRUSTED] in the source.list to skip the Release.gpg check for that
entry.
But in the general case it would be nice if apt-get would get the
file/size/md5sum from a trusted Packages file and then fetch the deb
from an untrusted source if it matches.
> Cheers,
> Michael
MfG
Goswin
Reply to: