On Sunday 06 February 2005 06:03 pm, Sam Morris wrote: > Daniel Burrows wrote: > > On Sunday 06 February 2005 05:25 pm, Sam Morris wrote: > >>Although running an update in the GUI does throw up a warning if a > >>package repository could not be verified, there is no later warning if > >>the user attempts to install a package from an unverified repository. > > > > It seems to work fine for me (in visual mode of course). Could you > > give me a concrete example? > > Christian Marillat's repository <http://debian.video.free.fr/> is > currently failing the signature check; from the error message it looks > like is signing the Release file with a different key than before. > > $ sudo apt-get install --reinstall mplayer-nogui > ... > WARNING: The following packages cannot be authenticated! > mplayer-nogui > Install these packages without verification? [y/N] n > > Highlighting the package in aptitude, pressing L to reinstall, then g > twice results in mplayer-nogui being installed with no warnings.
If you currently have an "insecure" package version installed, and you upgrade to an "insecure" version, aptitude doesn't warn you; the reason is to avoid lots of useless warnings in the common case where you're tracking a single package from a third-party repository and want to get upgrades. If people had to cancel a pointless warning dialog on a regular basis, the warning dialog would quickly cease to fulfill its purpose. It might be worthwhile to add a "paranoid" option for people who always want to see this warning, though. Also, reinstalling packages never needs to show a warning, because you're always installing the same package you already have installed (and which was presumably verified to your satisfaction). One thing I don't know is what will happen if a repository that was previously secure loses its signature -- I believe that when this happened to the Debian archive, I got a warning dialog about everything that I was trying to upgrade, but I may be misremembering now. It would be (colloquially) a serious bug if that was treated as an upgrade from insecure versions to insecure versions. In other words: what happens when you try to upgrade from the package versions installed from the secure version of Christian's archive to *different* versions installed from the insecure version? Daniel -- /------------------- Daniel Burrows <[EMAIL PROTECTED]> ------------------\ | "Progress just means bad things happen faster." | | -- Terry Pratchett, _Witches Abroad_ | \------ (if (not (understand-this)) (go-to http://www.schemers.org)) -------/
pgpK4rkneAeob.pgp
Description: PGP signature
