Hello, On Wed, Sep 02, 2020 at 12:43:35PM -0500, R. Ramesh wrote: > My only wish is apt is updated to say something about the fact > that this is unsupported and users are on their own, but still > provide the download/install without we having to manually > intervene.
I think¹ that there are two distinct things here: 1) The Debian Project's apt repositories and archives. 2) The software packages "apt" and "apt-get", designed for interacting with an apt archive. It is my understanding that: - The Debian Project has chosen to use key expiry as an indication (or one of the indications) that a particular distribution in its repository is no longer maintained. - The "apt" commands interpret an expired key as a repository that should not be used without manual intervention. So in effect allowing the key to expire *is* the message that you are looking for, and having to force apt to ignore that can provide a download, albeit with manual intervention necessary. Apparently with an apt from stretch onwards you can configure Check-Valid-Until in the actual sources file itself, so when stretch is archived it could be referred to like this: deb [check-valid-until=no] http://archive.debian.org/debian/ stretch main in /etc/apt/sources.list or a snippet inside /etc/apt/sources.list.d/. That would disable the expired key check for just the archived stretch and not every repository you have configured, with no command line override required. Something I am not sure of: The key signs the repository's Release file, and the Release file contains (amongst other things) checksums for the index files. The index files contain hashes of all the actual files, so you need a valid Release file to ensure integrity of indices which then ensure integrity of actual packages. If one forces apt to accept a Release file whose signing key has expired, does apt still check the hashes in the indices that the Release file references in order to ensure integrity of the files that are downloaded? That is, will disabling Check-Valid-Until also disable file integrity checks? There is more in man page apt-secure about what security things can be overridden. https://manpages.debian.org/buster/apt/apt-secure.8.en.html Cheers, Andy ¹ and I could well be wrong, since I am only a user of Debian, not a Developer or contributor to apt. -- https://bitfolk.com/ -- No-nonsense VPS hosting > I'd be interested to hear any (even two word) reviews of their sofas… Provides seating. — Andy Davidson
