Hi, On Sun, May 19, 2019 at 11:37:57PM +0200, Thorsten Glaser wrote: > Sure, but the apt-secure(8) manpage is 8 screen pages, and while > I eventually (took me some time) found the right section, it does > not document *how* one would accept this change: Well, apt-secure manpage is supposed to be generic information for all APT-based clients. I really don't look forward to describing which buttons must be clicked to perform this magic in e.g. synaptics and the gazillion other clients apt and apt-get are just the most prominent of. > … for the record, I *believe* that adding --allow-releaseinfo-change > to apt-get update is right, but this appears only in the apt-get(8) > manpage, not in apt(8) which some people believe is the new tool, and > especially not in apt-secure(8) where the user is directed to. 1. apt(8) is documented to not document every nook and cranny. 2. "apt" asks an interactive question in this situation, for "apt-get" this is disabled by default, because, I am told, people hate changes. 3. the user is directed to "apt-secure" for details on the why, how to use the client in question is a matter of client manpages 4. The client manpage apt-get(8) indeed mentions the option framed by the other security related options. > As such, this is a rather severe documentation bug that I believe > ought to be fixed before buster. While I might agree the behaviour of apt-get could be more revealing, I don't think this would belong in apt-secure. I guess we could add another N: for apt-get, but I haven't looked at where to add that it is generated only for apt-get not for other clients where that hint would make no sense as a graphical software center likely doesn't accept that flag… Or we could babble about the underlying config options like in the insecure repository case as it would effect all clients then, but that feels a bit dirty and wrong. On a sidenote: The Release file can include a "Release-Notes" field which is then displayed as "More information about this can be found online in the Release notes at: %s" so that a repository owner can provide an explanation for this change. In summary, I don't believe in this being a severe problem. Legit changes of these fields should be really really rare given we teach users to use Codename in configuration rather than Suite. Best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature