autopkgtest in jessie: mark local archive as [trusted=yes]

Salvatore Bonaccorso carnil at debian.org
Wed Dec 21 11:43:18 UTC 2016


Hello Martin, hello Autopkgtest team.

(I'm not subscribed to the autopkgtest-devel list, so please keep me
on CC).

Before I ask anything to SRM I would like to hear your opinion. Since
a "recent" apt update in unstable, running the autopkgtests on a host
running jessie without backports, does not work anymore.

Background: jessie host, no backports, autopkgtest installed with
version 3.6jessie1. The problem is that adt-run generates a weak
signing key for the repositories.

Since apt 1.4~beta1, has "gpgv: Untrust SHA1, RIPE-MD/160, but allow
downgrading to weak":

https://anonscm.debian.org/git/apt/apt.git/commit/?id=33d7a8d672c8c720947e81158de4a5a07be05b72

This is not a problem anymore with newer autopkgtest packages, since
they do not use anymore gpg sign the local archive, since 

https://anonscm.debian.org/git/autopkgtest/autopkgtest.git/commit/?id=fed8cdbe004280c21337b1edb0a44584ded87daf

The whole would probably to much for backporting to jessie, and
possibly not allowed by SRM, since it means a behaviour change. But do
you think it is sensible to just backport the change, to  mark the
internal repository with trusted=yes?

-  echo "deb file://%(d)s /" >/etc/apt/sources.list.d/autopkgtest.list
+  echo "deb [trusted=yes] file://%(d)s /" >/etc/apt/sources.list.d/autopkgtest.list

This option (trusted=yes) is available since 0.8.16~exp3, so for any
reasonable suite/distribution probably not a problem.

What do you think?

Thanks already for your time!

Regards,
Salvatore



More information about the autopkgtest-devel mailing list