Bug#338889: Overzealously prefers signed packages to identical unsigned ones
On Wed, Nov 23, 2005 at 04:47:02PM +0100, Michael Vogt wrote:
Hi,
> > I have a local package repository that is pieced together from many
> > different sources. I don't have a signed Release file (is there an easy way
> > to generate one automatically?); I only generate my own Packages file.
>
> It's a matter of runing apt-ftparchive and gpg, see apt-secure(8) for
> a discussion.
OK, will do; thanks.
> > Nevertheless, when apt-get needs to fetch packages, it ignores my local
> > repository and downloads the exact same packages from the net instead,
> > presumably because those repositories are signed. (But do correct me if I'm
> > wrong.)
> [..]
>
> Yes, it's a feature of apt to prefer signed sources. But if you run it
> with --allow-unauthenticated, it should behave exactly as the 0.5.x
> versions. Can you please try/confirm this?
This switch seems to work as advertised here; alas, the manpage isn't very
clear about it - it just seems to say that this turns off the prompt about
unsigned packages.
This is a good enough workaround for me, but I still think the new behaviour
is wasteful (it wastes bandwidth) - if two packages have the same size and
md5sum, they can IMO be assumed to have the same signatures too.
Andras
--
Andras Korn <korn at chardonnay.math.bme.hu>
<http://chardonnay.math.bme.hu/~korn/> QOTD:
Whoever decided to limit taglines to a single line can just kiss my
Reply to: