Control: tag -1 patch Hi!
On Wed, 2022-07-27 at 21:39:30 +0200, Guillem Jover wrote: > On Tue, 2022-07-26 at 14:24:41 -0500, Tim McConnell wrote: > > When running this command `apt-get dist-upgrade -y -m` > The problem here in the end was (confirmed off-BTS) that > apt-listdifferences is installed on the system, which downloads the > source packages for binary packages being upgraded to debdiff them. > But those source packages had been signed with a weak algorithm, which > is rejected by dpkg-source (even though that command defaults to > warning only). > > Because when downloading the source packages from the archive, they > have switched their trust anchor from the uploader to the archive, > which takes care of key (re)signing, expiration and rotation, checking > the signatures in the .dsc can be more confusing than helpful. (This > would be a different matter if the .dsc reached the system through > some other means such as scp or sneaker net or whatever). > > So, ideally apt-listdifferences would call debdiff and request for it > to pass --no-check to dpkg-source. But there is currently no such > option. I'll file another report, and block this one with that other > one. The recently uploaded devscripts now includes support for --no-check in debdiff. So we can use that to fix this report. Thanks, Guillem
