Bug#980849: apt fails to reject repositories with invalid InRelease file
Package: apt
Version: 2.1.18
Severity: important
Hi,
I maintain the extrepo package[1], a tool to manage external (i.e.,
third-party, non-Debian) repositories.
As part of that, the extrepo-data repository on salsa[2] manages
metadata for repositories. In a GitLab CI job, I validate that the
repositories do not contain anything that is not valid before accepting
them to the metadata repository.
One of the checks is to validate the InRelease file.
Currently, there are two merge requests open[3] for repositories on
which my script fails while trying to verify the InRelease file.
It turns out that these repositories return data for the InRelease file
-- i.e., a file that has checksums and is signed by some tool -- but the
signature is invalid. The repository also has a Release/Release.gpg
pair, where the signature *is* valid.
Apt should probably produce a warning (if not an error) on such
repositories; it currently does not seem to do that.
[1] https://packages.debian.org/extrepo
[2] https://salsa.debian.org/extrepo-team/extrepo-data
[3] https://salsa.debian.org/extrepo-team/extrepo-data/-/merge_requests/65
and .../66
Reply to: