Package: apt Version: 0.6.43 Severity: normal
Since the year has turned over, apt-get update now produces the error: [...] Reading package lists... Done W: GPG error: http://http.us.debian.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F W: GPG error: http://http.us.debian.org unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F Because the release key is not provided via an automated mechanism. Leaveing aside that the means for getting a new key are not documented in /usr/share/doc/apt or apt-doc, there is the additional issue that undocumented, this looks like the debian servers may be compromised. Secondarily, the recipes I can find for updating to the new release key do not make clear whether the new release key is verifiable in any way. I am worried that debian may be violating its trust model once a year. -- Package-specific info: -- apt-config dump -- APT ""; APT::Architecture "i386"; APT::Build-Essential ""; APT::Build-Essential:: "build-essential"; APT::Default-Release "testing"; APT::Cache-Limit "10000000"; Dir "/"; Dir::State "var/lib/apt/"; Dir::State::lists "lists/"; Dir::State::cdroms "cdroms.list"; Dir::State::userstatus "status.user"; Dir::State::status "/var/lib/dpkg/status"; Dir::Cache "var/cache/apt/"; Dir::Cache::archives "archives/"; Dir::Cache::srcpkgcache "srcpkgcache.bin"; Dir::Cache::pkgcache "pkgcache.bin"; Dir::Etc "etc/apt/"; Dir::Etc::sourcelist "sources.list"; Dir::Etc::sourceparts "sources.list.d"; Dir::Etc::vendorlist "vendors.list"; Dir::Etc::vendorparts "vendors.list.d"; Dir::Etc::main "apt.conf"; Dir::Etc::parts "apt.conf.d"; Dir::Etc::preferences "preferences"; Dir::Bin ""; Dir::Bin::methods "/usr/lib/apt/methods"; Dir::Bin::dpkg "/usr/bin/dpkg"; DPkg ""; DPkg::Pre-Install-Pkgs ""; DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true"; DPkg::Post-Invoke ""; DPkg::Post-Invoke:: "if [ -x /usr/bin/debsums ]; then /usr/bin/debsums --generate=nocheck -sp /var/cache/apt/archives; fi"; DPkg::Post-Invoke:: "if [ -x /usr/sbin/localepurge ] && [ $(ps w -p $PPID | grep -c remove) != 1 ]; then /usr/sbin/localepurge; else exit 0; fi"; Acquire ""; Acquire::http ""; Acquire::http::Pipeline-Depth "3"; -- /etc/apt/preferences -- Package: * Pin: release a=testing Pin-Priority: 900 Package: * Pin: release a=etch Pin-Priority: 900 Package: * Pin: release o=Debian Pin-Priority: -10 -- /etc/apt/sources.list -- deb file:/var/cache/apt-build/repository apt-build main # Testing sources deb http://http.us.debian.org/debian/ testing main contrib non-free # sonic mirrors binaries (slowly!!!) #deb ftp://ftp.sonic.net/mirrors/debian/ testing main contrib non-free deb-src http://http.us.debian.org/debian/ testing main contrib non-free #deb http://non-us.debian.org/debian-non-US testing/non-US main contrib non-free #deb-src http://non-us.debian.org/debian-non-US testing/non-US main contrib non-free # Unstable sources deb http://http.us.debian.org/debian/ unstable main non-free contrib #deb ftp://ftp.sonic.net/mirrors/debian/ unstable main contrib non-free deb-src http://http.us.debian.org/debian/ unstable main non-free contrib #deb http://non-us.debian.org/debian-non-US unstable/non-US main contrib non-free #deb-src http://non-us.debian.org/debian-non-US unstable/non-US main contrib non-free # Stable sources #deb http://http.us.debian.org/debian stable main contrib non-free #deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free #deb http://security.debian.org stable/updates main contrib non-free #deb-src http://http.us.debian.org/debian stable main contrib # Special sources # java ? # broke one day #deb ftp://ftp.tux.org/pub/java/debian unstable main non-free #deb ftp://ftp.tux.org/pub/java/debian testing main non-free #experimental UAE deb http://www.rcdrummond.net/uae sid main # various contraband deb ftp://ftp.nerim.net/debian-marillat/ etch main deb ftp://ftp.nerim.net/debian-marillat/ sid main # dotgnu # not using anymore #deb-src http://mentors.debian.net/debian unstable main #deb http://mentors.debian.net/debian unstable main # cross compilers #deb http://debian.speedblue.org ./ # down # mrxvt, (some other stuff like libtorrent.. whatever) deb http://mayhq.org/deb/ ./ deb-src http://mayhq.org/deb/ ./ # xmms2 development versions # this shit is not working! host down #deb http://exodus.xmms.se/debian stable main #deb http://exodus.xmms.se/debian testing main -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.14-jsr Locale: LANG=C, LC_CTYPE=C (charmap=ISO-8859-1) (ignored: LC_ALL set to en_US.iso88591) Versions of packages apt depends on: ii libc6 2.3.5-8 GNU C Library: Shared libraries an ii libgcc1 1:4.0.2-5 GCC support library ii libstdc++6 4.0.2-5 The GNU Standard C++ Library v3 apt recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
