Bug#712486: /usr/bin/apt-get: DROP fetched release files that fail signature validation
Package: apt
Version: 0.9.8.1
Severity: wishlist
File: /usr/bin/apt-get
Hi,
please remove fetched release files that fail signature validation.
Those files cannot be trusted and are hence useless but can lead to
confusing behaviour when present.
Background: I experienced the same behaviour as #710229: When running
apt-get update it fetched the landing page of my university instead of
the release file. Obviously that failed signature verification. But
instead of another apt-get update replacing the wrong release file it
continues using it, signature verifcation always failing and no packages
from that repository available. When the release file updates the new
one is fetched, which makes the immediate problem go away. But the
signature verification message is confusing and even frightening when
one does another apt-get update that could fetch the right release but
does not.
thanks for your work, Arian Sanusi
-- Package-specific info:
-- (/etc/apt/preferences present, but not submitted) --
-- (/etc/apt/sources.list present, but not submitted) --
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (800, 'testing'), (600, 'stable'), (550, 'unstable'), (500, 'raring'), (200, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.8-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apt depends on:
ii debian-archive-keyring 2012.4
ii gnupg 1.4.12-7
ii libapt-pkg4.12 0.9.8.1
ii libc6 2.17-5
ii libgcc1 1:4.8.1-2
ii libstdc++6 4.8.1-2
apt recommends no packages.
Versions of packages apt suggests:
pn apt-doc <none>
ii aptitude 0.6.8.2-1
ii dpkg-dev 1.16.10
ii python-apt 0.8.9
ii wajig 2.8
ii xz-utils 5.1.1alpha+20120614-2
-- no debconf information
Reply to: