Ansgar Burchardt <ans...@43-1.org> writes: > tags 596498 + patch > thanks > >> It would be nice if a repository could be marked as trusted in the >> sources.list. This would make it easier to use local repositories with, >> for example, pbuilder without having to generate a PGP key, signing the >> repository and finally importing the key into apt, see also [1]. > > Attached is a patch to add a [trusted=1] option to sources.list. When > present, the source is regarded as trusted even without a Release.gpg. > Documentation of this feature is still missing. > > I did the following testing using apt 0.8.3 with the patch applied: > Installing from an unsigned (or signed with unknown key) repository > causes warning when [trusted=0] or no option is given in sources.list; > installing from an unsigned (or signed with unknown key) repository does > not warn when [trusted=1] is given in sources.list.
I would have used 'trust=always', 'trust=key' (default) and 'trust=never'. But otherwise the patch looks good to me. > Note that "apt-get update" still warns about unknown signatures even > when [trusted=1] is given for the source. I do not think this is > harmful as the option is mainly intended for unsigned (local) > repositories anyway. I think that is a good idea. Consider the scenario that you have an unsigned repository and later a signature is added. You then see the warning about the new signature and can add the right key instad of continuing to use the source untrusted. > Regards, > Ansgar MfG Goswin -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org