Bug#644610: apt: Erroneous warning on signed snapshots
Package: apt
Version: 0.8.10.3+squeeze1
Severity: minor
W: Conflicting distribution: http://repo development/snapshots/test13 InRelease (expected development/snapshots but got development)
The problem goes away entirely if the Release.gpg file for the snapshot is
moved, renamed or deleted.
Originally found on Squeeze, since reproduced in sid using a pbuilder chroot.
Snapshots are created using reprepro gensnapshot which creates Release files
similar to:
head ../snapshots/dists/lenny/snapshots/illgill1/Release
Origin: Emdebian
Label: EmdebianGrip
Suite: lenny/snapshots/illgill1
Codename: lenny
Version: 1.0
Date: Mon, 13 Dec 2010 13:14:49 UTC
Architectures: armel
Components: main
Description: Emdebian Grip Lenny
Note the generated suite which contains / separators which are real
directories on the filesystem.
If dists/lenny/snapshots/illgill1/Release.gpg exists, apt reports the
warning. If that single file is removed, apt does not report the
warning.
No changes were made to the Release files themselves, the snapshot or
the repository itself.
We've been using reprepro snapshots since before Lenny because it is a
safe way to freeze an entire distribution at a single point of time and
let development / updates continue. This is particularly useful with
copies of Debian or Emdebian stable releases where we don't want
machines upgrading to a point release until that point release has
been tested with the other software on device.
It is only with our move to Squeeze that SecureApt support has been
added internally and this is the first time we tried to use SecureApt
with a snapshot.
To test, use reprepro to create a dummy repository - conf/distributions file
along the lines of:
Codename: development
Architectures: armel i386 source
Components: main
#SignWith: 0x61616E31
The secret key to use must be in the ~/.gnupg/ keyring of the user running
reprepro.
Generate the repo with:
$ reprepro -v export development
Include a handful of random packages in the repo using:
$ reprepro includedeb development /var/cache/apt/archives/foo*.deb
Then generate a snapshot:
$ reprepro gensnapshot development test1
The apt source would then be:
deb http://localhost/repo development/snapshots/test1 main
If SignWith is uncommented and the repo exported, Release.gpg
will be created and with any other source from this repo apt is
perfectly happy with the signature. If the snapshot source is
used with the '/' separators, the presence of the Release.gpg file
causes apt to generate the erroneous warning.
-- Package-specific info:
-- (/etc/apt/preferences present, but not submitted) --
Default installation in a clean chroot.
-- (/etc/apt/sources.list present, but not submitted) --
Example:
deb http://repo/swift development/snapshots/oct17 main
-- System Information:
Debian Release: 6.0.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apt depends on:
ii debian-archive-keyring 2010.08.28 GnuPG archive keys of the Debian a
ii gnupg 1.4.10-4 GNU privacy guard - a free PGP rep
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libgcc1 1:4.4.5-8 GCC support library
ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
apt recommends no packages.
Versions of packages apt suggests:
pn apt-doc <none> (no description available)
ii aptitude 0.6.3-3.2 terminal-based package manager (te
ii bzip2 1.0.5-6 high-quality block-sorting file co
ii dpkg-dev 1.15.8.11 Debian package development tools
ii lzma 4.43-14 Compression method of 7z format in
ii python-apt 0.7.100.1+squeeze1 Python interface to libapt-pkg
ii synaptic 0.70~pre1+b1 Graphical package manager
-- no debconf information
Reply to: