Bug#807996: 807996 still exists; workaround

To: 807996@bugs.debian.org
Subject: Bug#807996: 807996 still exists; workaround
From: David Farrier <farrier@iglou.com>
Date: Mon, 26 Apr 2021 19:46:56 -0400 (EDT)
Message-id: <[🔎] alpine.DEB.2.21.2104251825150.10282@penguin.site>
Reply-to: David Farrier <farrier@iglou.com>, 807996@bugs.debian.org
References: <145015968825.5415.1411191078737508843.reportbug@debian>

Sorry, I just discovered this bug report. I have been having this problemfor years, and don't remember when it started. I have been using aworkaround, but would like to find a better solution. I see theworkaround I have been using is one of those Kingsley G. Morse triedbut could not get to work.


The workaround is, after registering each CD-ROM using apt-cdrom,
modify the /etc/sources.list file. Edit it to add the "trusted" flag to
the entry for each CD-ROM. (In my case, I am using DVDs.) For example:
  deb [trusted=yes] cdrom:[Debian GNU/Linux 10.9.0 _Buster_ - Official
    amd64 DVD Binary-2 20210327-10:39]/ buster contrib main
Then run "apt update". Which now works, although it generates an
annoying number of "ign:" messages.

Presumably it is okay to "trust" your CD-ROM set because you have
physical control of it, and thus are reasonably sure it has not been
tampered with. However, recently I happened to read the apt-secure man
page, which warns that some future release of apt will no longer honor
flags like "trust". That warning started me hunting for a better
solution. Haven't found it yet, but did find this bug report.

I can replicate the bug in a variety of situations, but below I give an
example of a particularly simple test case:

I am running Debian stable amd-64 with a fairly standard desktop
selection of packages. First I use my favorite Internet mirror to
update to the latest stable release 10.9. No problems. Then,

I download the first few DVD images of the same release. So far,these are reasonable actions for someone who doesn't always have goodInternet. Next, register the DVDs using apt-cdrom, but for testingpurposes, I only register one of them. I choose the second DVD of the set,because I happen to know the names of some packages it contains but I havenot yet installed. Next, I disable the Internet repository, by editing/etc/sources.list to comment out its entry. Then run "apt update", whichresults in the following errors:


    Ign:1 cdrom://[Debian GNU/Linux 10.9.0 _Buster_ - Official amd64
      DVD Binary-2 20210327-10:39] buster InRelease
    Err:2 cdrom://[Debian GNU/Linux 10.9.0 _Buster_ - Official amd64
      DVD Binary-2 20210327-10:39] buster Release
    Please use apt-cdrom to make this CD-ROM recognized by APT. apt-get
      update cannot be used to add new CD-ROMs
    Hit:3 http://security.debian.org/debian-security buster/updates
      InRelease
    Reading package lists... Done
    E: The repository 'cdrom://[Debian GNU/Linux 10.9.0 _Buster_ -
      Official amd64 DVD Binary-2 20210327-10:39] buster Release' does not
      have a Release file.
    N: Updating from such a repository can't be done securely,
      and is therefore disabled by default.
    N: See apt-secure(8) manpage for repository creation and user
      configuration details.

Next, I verify the DVD really was excluded from the update. I run "aptsearch" on some of its packages. As expected, "apt search" does not findthem.


To test the workaround, I apply it as described above. After running
"apt update" I then run "apt search" for the same packages as before,
confirming apt now knows they exist. I then run "apt install" on one of
the packages on DVD #2, and confirm it installs okay.

Reply to:

Prev by Date: Bug#926476: apt search vs apt-cache search package list / output format
Next by Date: Processed: Bug#981535 marked as pending in apt
Previous by thread: Bug#926476: apt search vs apt-cache search package list / output format
Next by thread: Processed: Bug#981535 marked as pending in apt
Index(es):
- Date
- Thread