Bug#376817: apt complains

[Mark Robinson <mark@zl2tod.net>]

<deep breath> Given that this appears to be an update phasing problem between 
various servers/mirrors, is it feasible to add a behaviour whereby apt tries to 
use the same server that was used for the last update as a preferred source for 
packages to be upgraded at least for the first attempt and perhaps within a day 
or two of the update ? <cache dns result between updates>

Should this behaviour be promulgated in the other package management systems 
(aptitude, synaptic ...) ?

Is there an option to display the identity of source servers ?

> piwakawaka:~# apt-get source apt
> Reading package lists... Done
> Building dependency tree... Done
> Need to get 1673kB of source archives.
> Get:1 http://http.us.debian.org sid/main apt 0.6.45 (dsc) [784B]
> Get:2 http://http.us.debian.org sid/main apt 0.6.45 (tar) [1672kB]
> Fetched 1673kB in 11s (147kB/s)
> gpg: Signature made Thu Jul 27 11:01:18 2006 NZST using DSA key ID 5662C734
> gpg: Can't check signature: public key not found
> dpkg-source: extracting apt in apt-0.6.45
> dpkg-source: unpacking apt_0.6.45.tar.gz
> piwakawaka:~#                  

I assume this means I can't trust this sourcecode.

I've looked for any reference to why a new gpg signature was made on 27Jul to 
no avail. I assume it is related to the recent compromise. Can anyone enlighten 
me ?