Package: apt
Version: 0.6.41
Severity: grave
Tags: d-i
All current etch netinst and full CDs fail to install now, since secure
apt has entered testing[1]. Apt complains that packages can't be
authenticated, since the CD does not include signed Release files.
Unless this is fixed very soon, the next d-i beta release will have to
not include such CDs, and limit itself to businesscard CDs and netboot
mini isos.
As I understand it, there is basically no way we can build official
Debian CDs that are signed with our archive signing key. There is also
currently no way to turn off the signature checking that doesn't disable
it for all apt sources, which wouldn't be an acceptible tradeoff.
The simplest fix would be to special case apt to not require CD sources
to be authenticated. This seems ok to me, since the user has already
*booted* the CD, at least when using it as install media.
Another approach might be to create a separate key that's used to sign
CD builds, but this has lots of problems. Current daily Debian CD builds
happen on a non-DSA controlled machine. If apt trusted the key that
would weaken its security for non-CD sources too.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages apt depends on:
ii libc6 2.3.5-6 GNU C Library: Shared libraries an
ii libgcc1 1:4.0.2-2 GCC support library
ii libstdc++6 4.0.2-2 The GNU Standard C++ Library v3
apt recommends no packages.
-- no debconf information
--
see shy jo
[1] Kicking myself for not having filed this bug earlier; this problem
has been anticipated for months.
Attachment:
signature.asc
Description: Digital signature