"Eugene V. Lyubimkin" <jackyf.de...@gmail.com> writes:
> Goswin Brederlow wrote:
>> Package: cupt
>> Version: 0.2.2
>> Severity: normal
>>
>> Hi,
>>
>> for ia32-apt-get to work it has to do some magic with the Index files
>> apt-get downloads. This means mangling them after they have been
>> downloaded and signatures checked. This is fine in apt-get as it does
>> not check the signature again, only on download.
>>
>> Now cupt on the otherhand seems to check the signature on every
>> invocation, even "cupt show cupt" resulting in warnings like this:
> Yes, this considered as a feature.
>
>>
>> W: gpg: '/var/lib/apt/lists/chocos_debian_dists_sid-amd64_Release': bad
>> signature: EA4ADBF06B83280C reprepro (signing key)
>> <brede...@informatik.uni-tuebingen.de>
>>
>> The signature check is not needed as the Release.gpg file will ever
>> only be there if the signature did check out during download.
> Cupt places Release.gpg to .../lists always. The bad signature will able to
> become good once you fixed it someway (without re-invoking
> 'apt-get/aptitude/cupt/etc. update'). The good signature will able to become
> bad once someone revokes its key.
But if the file is there then apt-get/aptitude will consider it good
without checking. So
cupt update
apt-get install
would install packages even if the signature is bad.
Not a good idea. Can't you download the file to the partial directory
like apt-get and only move it when it checks out?
>> So
>> besides this breaking ia32-apt-get it is also a huge waste of time.
> I will think about making this behavior optional, nevertheless, how does this
> warning break ia32-apt-get?
It doesn't really break it, at least I assume cupt can install
unauthenticated debs too, but it makes it impossible to see when the
signature is actualy bad and when it is just ia32-apt-get mangling. It
makes it insecure.
Cupt will need a wrapper so "cupt update" works right. The wrapper
could also set the option to ignore signature checks other than when
downloading. So that would work.
Does cupt have an equivalent to
apt-get.real --no-list-cleanup --no-download update
That just parses the existing Packages files and updates its caches
without fetching any files. This needs to be run by ia32-apt-get after
mangling the Packages files to fit (in the cupt wrapper).
MfG
Goswin
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
