Control: severity -1 minor On Sat, Jan 04, 2020 at 12:14:39AM +0100, Thorsten Glaser wrote: > tglase@tglase-nb:/tmp $ apt-get source prevent-ruby > Reading package lists... Done > Picking 'mirabilos-support' as source package instead of 'prevent-ruby' > Skipping download of file 'mirabilos-support_61.tar.gz' as requested hashsum is not available for authentication The code generating the error message assumes that the situation that a file has only unusable hashes available happens only for the case in which the user explicitly requested an unavailable hash via -o Acquire::ForceHash (that is what the comment says anyway). The assumption is wrong, your repository "just" lacks information about the tarball of this (and a few other packages) in all but the Files field. Note that debian-policy says for the Checksums fields (§5.6.24.): | The list of files in these fields must match the list of files in the | Files field. This applies as the https://wiki.debian.org/DebianRepository/Format is referring to it in the relevant section. As such your repository is properly documented to be invalid. It might make sense to write code to detect this specific form of broken repository and generate a message for it (+ letting translators come up with a translation for it), but I don't see that as a pressing or even "important" issue. Might be wishlist, but I agree the error message can be misleading, so lets say minor. That also means that there is a good chance that this issue will be tackled right after the currently 400+ more important issues are resolved – so I wouldn't hold my breath in case you or someone else reading doesn't want to fast-track that with a patch. In the end it is a decision if APT should be a repository consumer or if it should grow an additional arm (or two) and act as a linter, too. > I need the source package. Sure, I can get it some other way, but this > is rather unfriendly, especially as neither apt.conf(5), apt-get(8), > apt-secure(8), apt-transport-http(8) and apt(8) document how to override > this setting for this one invocation. As usual for these authentication lacking downloads: --allow-unauthenticated > (The repository has all hashes, but the .dsc doesn’t, as it’s generated > on sarge and then symlinked into all later distributions.) As already said, this isn't true. Another example is the very first package in your Sources file: apt-archived-debian > It would behoove to document > ALL command line options, and thus, all possible values for -o as > well. It would also behoove to have a lot more people contribute to Debian native tools like apt. As long as that isn't happening you will have to make due with what the few of us are doing. Preferably without telling me what would behooving me to do in my free time. Note also that the first thing you complained about in referred to bugreport was that apt-secure(8) is too long (8 pages!). I am not sure what you expect to happen if we were adding ALL options. configure-index lists roughly 800 and even that list is lacking the more obscure ones we haven't encountered via a testcase yet… Best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature