On Wed, 2022-07-27 at 11:10:13 -0500, tmcconnell...@gmail.com wrote: > >I assume you have something installed that downloads source packages > > (and perhaps builds them) as part of the upgrade?
> Gnome Software and I left sources.list pretty much as it came from the > net install CD. Hmm, I've checked gnome-software and I don't see anything obvious there that would cause sources to be downloaded. After looking for something using the /var/cache/apt/sources/ pathname, I've found apt-listdifferences which seems like a matching culprit. Do you happen to have that installed? If so, the problem is that it calls debdiff, which always verifies signatures, even though apt-listdifferences downloaded it from the archive, so there should be no need for that. Then I'd reassign to apt-listdifferences which would need a new option in debdiff to be able to request passing --no-check to dpkg-source. > So I'm getting this because some packages no longer have a maintainer, > that sucks, hope you guys get some more maintainers for those projects. Not necessarily, it might well be that these packages did not get uploaded after these maintainers updated their OpenPGP keys, and have remained with weak signatures. We should probably add some QA check (if there's none yet in place), to catch that, I'll check that out too. Thanks, Guillem
