On Sun, Nov 11, 2007 at 09:24:12AM -0800, Steve Langasek wrote: > On Sun, Nov 11, 2007 at 01:27:14PM +0100, Florian Weimer wrote: > > * Wouter Verhelst: > > > > That's inevitable because http://incoming.debian.org is not signed; The > > > update frequency of that repository (which is available only to buildd > > > hosts by IP and/or password protection) makes that impossible -- or at > > > least that's what I understood; you may want to check with ftp-masters > > > for the full story. > > > In this case, HTTPS should be used to download the packages, together > > with proper certificate validation. This has got the added benefit that > > passwords aren't sent in the clear (well, unless an error occurs, but > > this is a separate issue). > > I believe the Packages file is only exposed over ssh, so there is a trusted > path - just not one that apt recognizes as being adequate to eliminate the > authentication warning.
No, that's not true; the Packages files are downloaded over HTTP. This is just regular apt at work here. > (Which is unfortunate, because AFAIK the "accept > unauthenticated packages" flag can't be enabled on a per-source basis.) That, indeed, is very unfortunate. -- <Lo-lan-do> Home is where you have to wash the dishes. -- #debian-devel, Freenode, 2004-09-22 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]