Your message dated Thu, 13 Aug 2015 14:06:00 +0200 with message-id <20150813120600.GA12626@crossbow> and subject line Re: Bug#338889: Overzealously prefers signed packages to identical unsigned ones has caused the Debian Bug report #338889, regarding Overzealously prefers signed packages to identical unsigned ones to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 338889: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338889 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: Overzealously prefers signed packages to identical unsigned ones
- From: Andras Korn <korn-debbugs@chardonnay.math.bme.hu>
- Date: Sun, 13 Nov 2005 16:37:15 +0100
- Message-id: <20051113153715.GA5146@chardonnay.math.bme.hu>
Package: apt Version: 0.6.42.3 Severity: normal Hi, I have a local package repository that is pieced together from many different sources. I don't have a signed Release file (is there an easy way to generate one automatically?); I only generate my own Packages file. The patch to this local repository is listed first in my sources.list. Nevertheless, when apt-get needs to fetch packages, it ignores my local repository and downloads the exact same packages from the net instead, presumably because those repositories are signed. (But do correct me if I'm wrong.) This is inefficient. I think that in situations where an identical (same md5sum) package is available from multiple sources, the existence of a Release signature shouldn't be a consideration - after all, if the local copy has the same md5sum, it can be assumed that the same signature that the copy from the official mirror has also applies to this one. Currently, I work around the problem by copying all packages apt would download to /var/cache/apt/archives from my local repository before invoking apt. Andras -- Package-specific info: -- apt-config dump -- APT ""; APT::Architecture "i386"; APT::Build-Essential ""; APT::Build-Essential:: "build-essential"; APT::Get ""; APT::Get::Download-Only "false"; APT::Get::Simulate "false"; APT::Get::Assume-Yes "false"; APT::Get::Force-Yes "false"; APT::Get::Fix-Broken "false"; APT::Get::Show-Upgraded "false"; APT::Get::No-Upgrade "false"; APT::Get::Print-URIs "false"; APT::Get::Compile "false"; APT::Get::No-Download "false"; APT::Get::Purge "false"; APT::Get::List-Cleanup "true"; APT::Cache ""; APT::Cache::Important "false"; APT::CDROM ""; APT::CDROM::Rename "false"; APT::CDROM::NoMount "false"; APT::CDROM::Fast "false"; APT::CDROM::NoAct "false"; APT::Cache-Limit "40000000"; APT::Ignore-Hold "false"; APT::Immediate-Configure "true"; APT::Force-LoopBreak "false"; APT::FTPArchive ""; APT::FTPArchive::Release ""; APT::FTPArchive::Release::Origin "Korn"; APT::FTPArchive::Release::Label "Debian"; APT::FTPArchive::Release::Suite "experimental"; APT::FTPArchive::Release::Codename "chardonnay"; APT::FTPArchive::Release::Components "main"; APT::FTPArchive::Release::Description "Experimental archive for private use"; Dir "/"; Dir::State "var/lib/apt/"; Dir::State::lists "lists/"; Dir::State::cdroms "cdroms.list"; Dir::State::userstatus "status.user"; Dir::State::status "/var/lib/dpkg/status"; Dir::Cache "var/cache/apt/"; Dir::Cache::archives "archives/"; Dir::Cache::srcpkgcache "srcpkgcache.bin"; Dir::Cache::pkgcache "pkgcache.bin"; Dir::Etc "etc/apt/"; Dir::Etc::sourcelist "sources.list"; Dir::Etc::vendorlist "vendors.list"; Dir::Etc::vendorparts "vendors.list.d"; Dir::Etc::main "apt.conf"; Dir::Etc::parts "apt.conf.d"; Dir::Etc::preferences "preferences"; Dir::Bin ""; Dir::Bin::methods "/usr/lib/apt/methods"; Dir::Bin::dpkg "/usr/bin/dpkg"; DPkg ""; DPkg::Pre-Install-Pkgs ""; DPkg::Pre-Install-Pkgs:: "if dpkg -s apt-listbugs | grep -q '^Status: .* ok installed'; then /usr/sbin/apt-listbugs apt || ( test $? -ne 10 || exit 10; echo 'Warning: apt-listbugs exited abnormally, hit enter key to continue.' 1>&2 ; read a < /dev/tty ); fi"; DPkg::Pre-Install-Pkgs:: "/usr/bin/apt-listchanges --apt || test $? -ne 10"; DPkg::Tools ""; DPkg::Tools::Options ""; DPkg::Tools::Options::/usr/bin/apt-listchanges ""; DPkg::Tools::Options::/usr/bin/apt-listchanges::Version "2"; DPkg::Post-Invoke ""; DPkg::Post-Invoke:: "if [ -x /usr/bin/debsums ]; then /usr/bin/debsums --generate=nocheck -sp /var/cache/apt/archives; fi"; DPkg::Post-Invoke:: "if [ -x /usr/sbin/localepurge ] && [ $(ps w -p $PPID | grep -c remove) != 1 ]; then /usr/sbin/localepurge; else exit 0; fi"; DPkg::Options ""; DPkg::Options:: "--force-overwrite"; DPkg::Options:: "--force-bad-verify"; DPkg::Run-Directory "/"; DPkg::Build-Options "-b -uc"; Acquire ""; Acquire::Queue-Mode "host"; Acquire::Retries "0"; Acquire::Source-Symlinks "true"; Acquire::http ""; Acquire::http::Proxy ""; Acquire::http::Timeout "5"; Acquire::http::No-Cache "false"; Acquire::http::Max-Age "86400"; Acquire::http::No-Store "false"; Acquire::Timeout "5"; Acquire::Passive "true"; Acquire::Passive::galeon.sourceforge.net "false"; Acquire::Proxy ""; Acquire::Proxy::Passive "true"; cdrom ""; cdrom::Mount "/cdrom"; cdrom::/cdrom/ ""; cdrom::/cdrom/::Mount "sleep 1000"; cdrom::/cdrom/::UMount "sleep 500"; DSelect ""; DSelect::Clean "auto"; DSelect::Options "-f"; DSelect::UpdateOptions ""; DSelect::PromptAfterUpdate "no"; Debug ""; Debug::pkgProblemResolver "false"; Debug::pkgAcquire "false"; Debug::pkgAcquire::Worker "false"; Debug::pkgDPkgPM "false"; Debug::pkgInitialize "false"; Debug::NoLocking "false"; Debug::Acquire ""; Debug::Acquire::Ftp "false"; Debug::aptcdrom "false"; -- /etc/apt/preferences -- -- /etc/apt/sources.list -- deb file:/mnt/debian unstable main deb ftp://ftp.bme.hu/OS/Linux/dist/debian sid main contrib non-free [...] -- System Information: Debian Release: unstable APT prefers breezy-security APT policy: (500, 'breezy-security'), (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.11.7-chardonnay-skas3-v8-rc2 Locale: LANG=C, LC_CTYPE=hu_HU (charmap=ISO-8859-2) Versions of packages apt depends on: ii libc6 2.3.5-6 GNU C Library: Shared libraries an ii libgcc1 1:4.0.2-3 GCC support library ii libstdc++6 4.0.2-3 The GNU Standard C++ Library v3 apt recommends no packages. -- no debconf information -- Andras Korn <korn at chardonnay.math.bme.hu> <http://chardonnay.math.bme.hu/~korn/> QOTD: Modem sex begins with a handshake.
--- End Message ---
--- Begin Message ---
- To: 338889-done@bugs.debian.org
- Subject: Re: Bug#338889: Overzealously prefers signed packages to identical unsigned ones
- From: David Kalnischkies <david@kalnischkies.de>
- Date: Thu, 13 Aug 2015 14:06:00 +0200
- Message-id: <20150813120600.GA12626@crossbow>
- In-reply-to: <None.LNX.4.64.0612121816320.22817@cantor.unex.es>
- References: <20051113153715.GA5146@chardonnay.math.bme.hu> <20051123154702.GB32577@top.ping.de> <874q63glbr.fsf@informatik.uni-tuebingen.de> <None.LNX.4.64.0612121816320.22817@cantor.unex.es>
On Tue, Dec 12, 2006 at 06:40:37PM +0100, Santiago Vila wrote: > It does not make much sense that the user has to fiddle with gpg, keys, > signatures, etc. when everything he wants to do is to have a local > repository which serves as a cache for packages which are already > authenticated by other means. Which is why there is a trusted=yes option for sources now, which is documented in the sources.list. Using this option everything is as requested, so closing. Btw, the additional feature mentioned in this buglog about not downloading the same metadata from various places is partly solved in apt 1.1, but that is a different topic/bug. Best regards David KanischkiesAttachment: signature.asc
Description: Digital signature
--- End Message ---