On Wed, 23 Nov 2005, Goswin von Brederlow wrote: > But in the general case it would be nice if apt-get would get the > file/size/md5sum from a trusted Packages file and then fetch the deb > from an untrusted source if it matches.
On Wed, 23 Nov 2005, Andras Korn wrote: > [...] if two packages have the same size and md5sum, they can IMO be > assumed to have the same signatures too. Hi. I agree with Goswin and Andras here. If sources.list is like this: deb file:/local-repository deb http://official-mirror and package "foo" is in both repositories, and it has the same md5sum, the fact that it's authenticated in http://official-mirror should be enough to consider it authenticated in file:/local-repository as well. In other words, apt's internal logic should be changed: It should be the md5sum of a package (i.e. "the package itself") what is to be considered authenticated or not, not the pair "package foo from repository bar". Or at least there should be an option for apt to behave in this way. It does not make much sense that the user has to fiddle with gpg, keys, signatures, etc. when everything he wants to do is to have a local repository which serves as a cache for packages which are already authenticated by other means. Thanks. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
