autopkgtest in jessie: mark local archive as [trusted=yes]

Salvatore Bonaccorso carnil at
Wed Dec 21 11:43:18 UTC 2016

Hello Martin, hello Autopkgtest team.

(I'm not subscribed to the autopkgtest-devel list, so please keep me
on CC).

Before I ask anything to SRM I would like to hear your opinion. Since
a "recent" apt update in unstable, running the autopkgtests on a host
running jessie without backports, does not work anymore.

Background: jessie host, no backports, autopkgtest installed with
version 3.6jessie1. The problem is that adt-run generates a weak
signing key for the repositories.

Since apt 1.4~beta1, has "gpgv: Untrust SHA1, RIPE-MD/160, but allow
downgrading to weak":

This is not a problem anymore with newer autopkgtest packages, since
they do not use anymore gpg sign the local archive, since

The whole would probably to much for backporting to jessie, and
possibly not allowed by SRM, since it means a behaviour change. But do
you think it is sensible to just backport the change, to  mark the
internal repository with trusted=yes?

-  echo "deb file://%(d)s /" >/etc/apt/sources.list.d/autopkgtest.list
+  echo "deb [trusted=yes] file://%(d)s /" >/etc/apt/sources.list.d/autopkgtest.list

This option (trusted=yes) is available since 0.8.16~exp3, so for any
reasonable suite/distribution probably not a problem.

What do you think?

Thanks already for your time!


More information about the autopkgtest-devel mailing list