autopkgtest in jessie: mark local archive as [trusted=yes]
Salvatore Bonaccorso
carnil at debian.org
Wed Dec 21 11:43:18 UTC 2016
Hello Martin, hello Autopkgtest team.
(I'm not subscribed to the autopkgtest-devel list, so please keep me
on CC).
Before I ask anything to SRM I would like to hear your opinion. Since
a "recent" apt update in unstable, running the autopkgtests on a host
running jessie without backports, does not work anymore.
Background: jessie host, no backports, autopkgtest installed with
version 3.6jessie1. The problem is that adt-run generates a weak
signing key for the repositories.
Since apt 1.4~beta1, has "gpgv: Untrust SHA1, RIPE-MD/160, but allow
downgrading to weak":
https://anonscm.debian.org/git/apt/apt.git/commit/?id=33d7a8d672c8c720947e81158de4a5a07be05b72
This is not a problem anymore with newer autopkgtest packages, since
they do not use anymore gpg sign the local archive, since
https://anonscm.debian.org/git/autopkgtest/autopkgtest.git/commit/?id=fed8cdbe004280c21337b1edb0a44584ded87daf
The whole would probably to much for backporting to jessie, and
possibly not allowed by SRM, since it means a behaviour change. But do
you think it is sensible to just backport the change, to mark the
internal repository with trusted=yes?
- echo "deb file://%(d)s /" >/etc/apt/sources.list.d/autopkgtest.list
+ echo "deb [trusted=yes] file://%(d)s /" >/etc/apt/sources.list.d/autopkgtest.list
This option (trusted=yes) is available since 0.8.16~exp3, so for any
reasonable suite/distribution probably not a problem.
What do you think?
Thanks already for your time!
Regards,
Salvatore
More information about the autopkgtest-devel
mailing list