Bug#513730: marked as done (fetches packages from an HTTP source rather than more preferred file source)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Thu, 13 Aug 2015 14:06:00 +0200
with message-id <20150813120600.GA12626@crossbow>
and subject line Re: Bug#338889: Overzealously prefers signed packages to identical unsigned ones
has caused the Debian Bug report #338889,
regarding fetches packages from an HTTP source rather than more preferred file source
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
338889: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338889
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: [apt] Fetches packages from an HTTP source rather than more preferred file source
• From: Filipus Klutiero <chealer@gmail.com>
• Date: Sat, 31 Jan 2009 14:18:18 -0500
• Message-id: <200901311418.18648.chealer@gmail.com>

Package: apt
Version: 0.7.20
Severity: normal

I added a local package repository to my sources using the file method. I put 
the source first so that packages that can be found in the local repository 
would be fetched from there rather than from my mirror, but unfortunately the 
mirror is preferred, for some reason. This makes it inconvenient to use a 
partial local repository (in this case, the KDE CD 1 ISO).

I reproduced this bug on this PC after experiencing it on another lenny 
install. Here is an example with kbstate.

# apt-cache policy kbstate
kbstate:
  Installed: (none)
  Candidate: 4:3.5.9-2
  Version table:
     4:3.5.9-2 0
        990 file: lenny/main Packages
        990 http://gulus.usherbrooke.ca lenny/main Packages
        500 http://gulus.usherbrooke.ca sid/main Packages
vinci:/etc# apt-cache policy
Package files:
 100 /var/lib/dpkg/status
     release a=now
 990 http://security.debian.org lenny/updates/non-free Packages
     release v=None,o=Debian,a=testing,l=Debian-Security,c=non-free
     origin security.debian.org
 990 http://security.debian.org lenny/updates/contrib Packages
     release v=None,o=Debian,a=testing,l=Debian-Security,c=contrib
     origin security.debian.org
 990 http://security.debian.org lenny/updates/main Packages
     release v=None,o=Debian,a=testing,l=Debian-Security,c=main
     origin security.debian.org
   1 http://gulus.usherbrooke.ca experimental/non-free Packages
     release o=Debian,a=experimental,l=Debian,c=non-free
     origin gulus.usherbrooke.ca
   1 http://gulus.usherbrooke.ca experimental/contrib Packages
     release o=Debian,a=experimental,l=Debian,c=contrib
     origin gulus.usherbrooke.ca
   1 http://gulus.usherbrooke.ca experimental/main Packages
     release o=Debian,a=experimental,l=Debian,c=main
     origin gulus.usherbrooke.ca
 500 http://gulus.usherbrooke.ca sid/non-free Packages
     release o=Debian,a=unstable,l=Debian,c=non-free
     origin gulus.usherbrooke.ca
 500 http://gulus.usherbrooke.ca sid/contrib Packages
     release o=Debian,a=unstable,l=Debian,c=contrib
     origin gulus.usherbrooke.ca
 500 http://gulus.usherbrooke.ca sid/main Packages
     release o=Debian,a=unstable,l=Debian,c=main
     origin gulus.usherbrooke.ca
 990 http://gulus.usherbrooke.ca lenny/non-free Packages
     release o=Debian,a=testing,l=Debian,c=non-free
     origin gulus.usherbrooke.ca
 990 http://gulus.usherbrooke.ca lenny/contrib Packages
     release o=Debian,a=testing,l=Debian,c=contrib
     origin gulus.usherbrooke.ca
 990 http://gulus.usherbrooke.ca lenny/main Packages
     release o=Debian,a=testing,l=Debian,c=main
     origin gulus.usherbrooke.ca
 990 file: lenny/main Packages
     release o=Debian,a=testing,l=Debian,c=main
Pinned packages:
vinci:/etc# apt-get install kbstate
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  kbstate
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 70.1kB of archives.
After this operation, 664kB of additional disk space will be used.
Get:1 http://gulus.usherbrooke.ca lenny/main kbstate 4:3.5.9-2 [70.1kB]
Fetched 70.1kB in 0s (110kB/s)
Reading package fields... Done
Reading package status... Done
Retrieving bug reports... Done
Parsing Found/Fixed information... Done
Selecting previously deselected package kbstate.
(Reading database ... 125135 files and directories currently installed.)
Unpacking kbstate (from .../kbstate_4%3a3.5.9-2_i386.deb) ...
Setting up kbstate (4:3.5.9-2) ...
vinci:/etc# cat /etc/apt/sources.list
deb file:///mnt/iso/ lenny main

deb http://gulus.usherbrooke.ca/debian/ lenny main contrib non-free
# deb http://debian.savoirfairelinux.net/debian/ lenny main contrib non-free
# deb http://debian.savoirfairelinux.net/debian/ sid main contrib non-free
deb http://gulus.usherbrooke.ca/debian/ sid main contrib non-free
#deb-src http://debian.savoirfairelinux.net/debian/ sid main contrib

deb http://gulus.usherbrooke.ca/debian/ experimental main contrib non-free


deb http://security.debian.org/ lenny/updates main contrib non-free
deb-src http://security.debian.org/ lenny/updates main

# deb http://ftp.debian-unofficial.org/debian/ testing main contrib non-free 
restricted

vinci:/etc#

--- System information. ---
Architecture: i386
Kernel:       Linux 2.6.26-1-amd64

Debian Release: 5.0
  990 testing         security.debian.org 
  990 testing         gulus.usherbrooke.ca 
  500 unstable        gulus.usherbrooke.ca 
    1 experimental    gulus.usherbrooke.ca 

--- Package information. ---
Depends                       (Version) | Installed
=======================================-+-=============
libc6                        (>= 2.7-1) | 2.7-18
libgcc1                    (>= 1:4.1.1) | 1:4.3.2-1.1
libstdc++6                   (>= 4.2.1) | 4.3.2-1.1
debian-archive-keyring                  | 2008.04.16+nmu1

--- Output from package bug script ---

--- End Message ---

--- Begin Message ---

• To: 338889-done@bugs.debian.org
• Subject: Re: Bug#338889: Overzealously prefers signed packages to identical unsigned ones
• From: David Kalnischkies <david@kalnischkies.de>
• Date: Thu, 13 Aug 2015 14:06:00 +0200
• Message-id: <20150813120600.GA12626@crossbow>
• In-reply-to: <None.LNX.4.64.0612121816320.22817@cantor.unex.es>
• References: <20051113153715.GA5146@chardonnay.math.bme.hu> <20051123154702.GB32577@top.ping.de> <874q63glbr.fsf@informatik.uni-tuebingen.de> <None.LNX.4.64.0612121816320.22817@cantor.unex.es>

On Tue, Dec 12, 2006 at 06:40:37PM +0100, Santiago Vila wrote:
> It does not make much sense that the user has to fiddle with gpg, keys,
> signatures, etc. when everything he wants to do is to have a local
> repository which serves as a cache for packages which are already
> authenticated by other means.

Which is why there is a trusted=yes option for sources now, which is
documented in the sources.list. Using this option everything is as
requested, so closing.

Btw, the additional feature mentioned in this buglog about not
downloading the same metadata from various places is partly solved in
apt 1.1, but that is a different topic/bug.


Best regards

David Kanischkies

Attachment: signature.asc
Description: Digital signature

--- End Message ---