Bug#596498: sources.list: add option to mark unsigned (local) repository as trusted
Ansgar Burchardt <ansgar@43-1.org> writes:
> tags 596498 + patch
> thanks
>
>> It would be nice if a repository could be marked as trusted in the
>> sources.list. This would make it easier to use local repositories with,
>> for example, pbuilder without having to generate a PGP key, signing the
>> repository and finally importing the key into apt, see also [1].
>
> Attached is a patch to add a [trusted=1] option to sources.list. When
> present, the source is regarded as trusted even without a Release.gpg.
> Documentation of this feature is still missing.
>
> I did the following testing using apt 0.8.3 with the patch applied:
> Installing from an unsigned (or signed with unknown key) repository
> causes warning when [trusted=0] or no option is given in sources.list;
> installing from an unsigned (or signed with unknown key) repository does
> not warn when [trusted=1] is given in sources.list.
I would have used 'trust=always', 'trust=key' (default) and 'trust=never'.
But otherwise the patch looks good to me.
> Note that "apt-get update" still warns about unknown signatures even
> when [trusted=1] is given for the source. I do not think this is
> harmful as the option is mainly intended for unsigned (local)
> repositories anyway.
I think that is a good idea. Consider the scenario that you have an
unsigned repository and later a signature is added. You then see the
warning about the new signature and can add the right key instad of
continuing to use the source untrusted.
> Regards,
> Ansgar
MfG
Goswin
Reply to: