On Wed, Nov 23, 2005 at 04:47:02PM +0100, Michael Vogt wrote:

Hi,

> > I have a local package repository that is pieced together from many
> > different sources. I don't have a signed Release file (is there an easy way
> > to generate one automatically?); I only generate my own Packages file.
> 
> It's a matter of runing apt-ftparchive and gpg, see apt-secure(8) for
> a discussion.

OK, will do; thanks.

> > Nevertheless, when apt-get needs to fetch packages, it ignores my local
> > repository and downloads the exact same packages from the net instead,
> > presumably because those repositories are signed. (But do correct me if I'm
> > wrong.)
> [..]
> 
> Yes, it's a feature of apt to prefer signed sources. But if you run it
> with --allow-unauthenticated, it should behave exactly as the 0.5.x
> versions. Can you please try/confirm this?

This switch seems to work as advertised here; alas, the manpage isn't very
clear about it - it just seems to say that this turns off the prompt about
unsigned packages.

This is a good enough workaround for me, but I still think the new behaviour
is wasteful (it wastes bandwidth) - if two packages have the same size and
md5sum, they can IMO be assumed to have the same signatures too.

Andras

-- 
                 Andras Korn <korn at chardonnay.math.bme.hu>
                 <http://chardonnay.math.bme.hu/~korn/> QOTD:
      Whoever decided to limit taglines to a single line can just kiss my


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to