[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#338889: marked as done (Overzealously prefers signed packages to identical unsigned ones)

Your message dated Thu, 13 Aug 2015 14:06:00 +0200
with message-id <20150813120600.GA12626@crossbow>
and subject line Re: Bug#338889: Overzealously prefers signed packages to identical unsigned ones
has caused the Debian Bug report #338889,
regarding Overzealously prefers signed packages to identical unsigned ones
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
338889: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338889
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: apt
Version: 0.6.42.3
Severity: normal

Hi,

I have a local package repository that is pieced together from many
different sources. I don't have a signed Release file (is there an easy way
to generate one automatically?); I only generate my own Packages file.

The patch to this local repository is listed first in my sources.list.

Nevertheless, when apt-get needs to fetch packages, it ignores my local
repository and downloads the exact same packages from the net instead,
presumably because those repositories are signed. (But do correct me if I'm
wrong.)

This is inefficient. I think that in situations where an identical (same
md5sum) package is available from multiple sources, the existence of a
Release signature shouldn't be a consideration - after all, if the local
copy has the same md5sum, it can be assumed that the same signature that the
copy from the official mirror has also applies to this one.

Currently, I work around the problem by copying all packages apt would
download to /var/cache/apt/archives from my local repository before invoking
apt.

Andras

-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "i386";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Get "";
APT::Get::Download-Only "false";
APT::Get::Simulate "false";
APT::Get::Assume-Yes "false";
APT::Get::Force-Yes "false";
APT::Get::Fix-Broken "false";
APT::Get::Show-Upgraded "false";
APT::Get::No-Upgrade "false";
APT::Get::Print-URIs "false";
APT::Get::Compile "false";
APT::Get::No-Download "false";
APT::Get::Purge "false";
APT::Get::List-Cleanup "true";
APT::Cache "";
APT::Cache::Important "false";
APT::CDROM "";
APT::CDROM::Rename "false";
APT::CDROM::NoMount "false";
APT::CDROM::Fast "false";
APT::CDROM::NoAct "false";
APT::Cache-Limit "40000000";
APT::Ignore-Hold "false";
APT::Immediate-Configure "true";
APT::Force-LoopBreak "false";
APT::FTPArchive "";
APT::FTPArchive::Release "";
APT::FTPArchive::Release::Origin "Korn";
APT::FTPArchive::Release::Label "Debian";
APT::FTPArchive::Release::Suite "experimental";
APT::FTPArchive::Release::Codename "chardonnay";
APT::FTPArchive::Release::Components "main";
APT::FTPArchive::Release::Description "Experimental archive for private use";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::userstatus "status.user";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt/";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt/";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::vendorlist "vendors.list";
Dir::Etc::vendorparts "vendors.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::dpkg "/usr/bin/dpkg";
DPkg "";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "if dpkg -s apt-listbugs | grep -q '^Status: .* ok installed'; then /usr/sbin/apt-listbugs apt || ( test $? -ne 10 || exit 10; echo 'Warning: apt-listbugs exited abnormally, hit enter key to continue.' 1>&2 ; read a < /dev/tty ); fi";
DPkg::Pre-Install-Pkgs:: "/usr/bin/apt-listchanges --apt || test $? -ne 10";
DPkg::Tools "";
DPkg::Tools::Options "";
DPkg::Tools::Options::/usr/bin/apt-listchanges "";
DPkg::Tools::Options::/usr/bin/apt-listchanges::Version "2";
DPkg::Post-Invoke "";
DPkg::Post-Invoke:: "if [ -x /usr/bin/debsums ]; then /usr/bin/debsums --generate=nocheck -sp /var/cache/apt/archives; fi";
DPkg::Post-Invoke:: "if [ -x /usr/sbin/localepurge ] && [ $(ps w -p $PPID | grep -c remove) != 1 ]; then /usr/sbin/localepurge; else exit 0; fi";
DPkg::Options "";
DPkg::Options:: "--force-overwrite";
DPkg::Options:: "--force-bad-verify";
DPkg::Run-Directory "/";
DPkg::Build-Options "-b -uc";
Acquire "";
Acquire::Queue-Mode "host";
Acquire::Retries "0";
Acquire::Source-Symlinks "true";
Acquire::http "";
Acquire::http::Proxy "";
Acquire::http::Timeout "5";
Acquire::http::No-Cache "false";
Acquire::http::Max-Age "86400";
Acquire::http::No-Store "false";
Acquire::Timeout "5";
Acquire::Passive "true";
Acquire::Passive::galeon.sourceforge.net "false";
Acquire::Proxy "";
Acquire::Proxy::Passive "true";
cdrom "";
cdrom::Mount "/cdrom";
cdrom::/cdrom/ "";
cdrom::/cdrom/::Mount "sleep 1000";
cdrom::/cdrom/::UMount "sleep 500";
DSelect "";
DSelect::Clean "auto";
DSelect::Options "-f";
DSelect::UpdateOptions "";
DSelect::PromptAfterUpdate "no";
Debug "";
Debug::pkgProblemResolver "false";
Debug::pkgAcquire "false";
Debug::pkgAcquire::Worker "false";
Debug::pkgDPkgPM "false";
Debug::pkgInitialize "false";
Debug::NoLocking "false";
Debug::Acquire "";
Debug::Acquire::Ftp "false";
Debug::aptcdrom "false";

-- /etc/apt/preferences --


-- /etc/apt/sources.list --

deb file:/mnt/debian unstable main
deb ftp://ftp.bme.hu/OS/Linux/dist/debian sid main contrib non-free
[...]

-- System Information:
Debian Release: unstable
  APT prefers breezy-security
  APT policy: (500, 'breezy-security'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11.7-chardonnay-skas3-v8-rc2
Locale: LANG=C, LC_CTYPE=hu_HU (charmap=ISO-8859-2)

Versions of packages apt depends on:
ii  libc6                         2.3.5-6    GNU C Library: Shared libraries an
ii  libgcc1                       1:4.0.2-3  GCC support library
ii  libstdc++6                    4.0.2-3    The GNU Standard C++ Library v3

apt recommends no packages.

-- no debconf information

-- 
                 Andras Korn <korn at chardonnay.math.bme.hu>
                 <http://chardonnay.math.bme.hu/~korn/>	QOTD:
                      Modem sex begins with a handshake.

--- End Message ---
--- Begin Message --- 
On Tue, Dec 12, 2006 at 06:40:37PM +0100, Santiago Vila wrote:
> It does not make much sense that the user has to fiddle with gpg, keys,
> signatures, etc. when everything he wants to do is to have a local
> repository which serves as a cache for packages which are already
> authenticated by other means.

Which is why there is a trusted=yes option for sources now, which is
documented in the sources.list. Using this option everything is as
requested, so closing.

Btw, the additional feature mentioned in this buglog about not
downloading the same metadata from various places is partly solved in
apt 1.1, but that is a different topic/bug.


Best regards

David Kanischkies

Attachment: signature.asc
Description: Digital signature


--- End Message ---
Reply to: