Bug#338889: Overzealously prefers signed packages to identical unsigned ones

[Santiago Vila <sanvila@unex.es>]

On Wed, 23 Nov 2005, Goswin von Brederlow wrote:

> But in the general case it would be nice if apt-get would get the
> file/size/md5sum from a trusted Packages file and then fetch the deb
> from an untrusted source if it matches.

On Wed, 23 Nov 2005, Andras Korn wrote:

> [...] if two packages have the same size and md5sum, they can IMO be
> assumed to have the same signatures too.

Hi.

I agree with Goswin and Andras here. If sources.list is like this:

deb file:/local-repository
deb http://official-mirror

and package "foo" is in both repositories, and it has the same md5sum,
the fact that it's authenticated in http://official-mirror should be
enough to consider it authenticated in file:/local-repository as well.

In other words, apt's internal logic should be changed: It should be
the md5sum of a package (i.e. "the package itself") what is to be considered
authenticated or not, not the pair "package foo from repository bar".

Or at least there should be an option for apt to behave in this way.

It does not make much sense that the user has to fiddle with gpg, keys,
signatures, etc. when everything he wants to do is to have a local
repository which serves as a cache for packages which are already
authenticated by other means.

Thanks.