On Friday, 4 October 2019 13:34:21 BST Fred Boiteux wrote: > Le 04/10/2019 à 10:19, Michael Kesper a écrit : > > Hi Fred, > > > > … > > I think it would be better to sign your archive instead. > > With your modification you would completely disable checking GPG > > signatures for every repository (who checks warnings?) Sadly, the Debian > > wiki is full of outdated setups but I cannot find a stringent howto for > > setting up a trusted repo. > > > > Reprepro seem like a possible way to go. > > It overcomes another misfeature of these minimal repositories: You cannot > > pin packages to versions of this repository but have to set them on hold, > > else you always risk getting packages from Debian proper. > > > > My 2 cents > > Michael > > Hi Michael, > > I thought about that, but I'm not sure it's possible to do it that way : > indeed, I think the Debian installer keep internally the Debian GPG > keys, and will check the repository with these keys only : If I sign my > repository (which is a strict copy of install DVD-1's repository) with > my own key, I don't know how to give my key to the Debian-Installer… > > This first repository is mainly used to install base packages, I would > disable it when installation is done. > > > Fred.
I have previously created a local mirror /www/html/mirrors/debian on an external hard drive using ftpsync which I then sym-linked to /var/www on a laptop running apache. I have not tried this recently, but suspect that the mirror must be updated very close to the time it is needed. -- Chris Bell Website http://chrisbell.org.uk
