Bug#318630: Any progress on the per-repository "trusted" override?

[Goswin von Brederlow <goswin-v-b@web.de>]

Francesco Poli <frx@firenze.linux.it> writes:

> Hi!
>
> Is there any progress on the implementation of a field in sources.list
> that allows to specify that a given repository is to be trusted, even
> without signature checking?
>
> It would be really useful for local (i.e.: created on the same box
> where they will be used) trivial repositories, where you do not want to
> setup the necessary infrastructure for signing Release files, and so
> forth...
>
> Please let me know.
> Thanks in advance.

I'm waiting for a reaction to

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536029

before rewriting the old [TRUSTED] patch to support:

- deb [key=0x1AB52325534,0x3475BDF478] ...
  Only accept signatures by one of the listed fingerprints

- deb [keyring=foobar.gpg] ...
  Use foobar.gpg to verify the signatures and only foobar.gpg.

deb [trust=always|never] ....
  Ignore the Release signature and just always or never trust the
  source. "always" would be for file:// or sources on the local
  network where you don't care if it is unsigned. "never" would be for
  repositories you want to always be asked before they are used and
  which should not replace packages from more trusted repositories.

#536029 already contains the general parser for the fields. So I'm
waiting for it to be added.

MfG
        Goswin