Le 04/10/2019 à 10:19, Michael Kesper a écrit :
Hi Fred,
…
I think it would be better to sign your archive instead.
With your modification you would completely disable checking GPG signatures for
every repository (who checks warnings?)
Sadly, the Debian wiki is full of outdated setups but I cannot find a stringent
howto for setting up a trusted repo.
Reprepro seem like a possible way to go.
It overcomes another misfeature of these minimal repositories: You cannot pin
packages to versions
of this repository but have to set them on hold, else you always risk getting
packages from Debian proper.
My 2 cents
Michael
Hi Michael,
I thought about that, but I'm not sure it's possible to do it that way :
indeed, I think the Debian installer keep internally the Debian GPG
keys, and will check the repository with these keys only : If I sign my
repository (which is a strict copy of install DVD-1's repository) with
my own key, I don't know how to give my key to the Debian-Installer…
This first repository is mainly used to install base packages, I would
disable it when installation is done.
Fred.
