Package: apt Version: 2.6.1 Severity: wishlist X-Debbugs-Cc: vagr...@reproducible-builds.org
Thanks for maintaining apt! I use it all the time! No idea how difficult this would be to implement, but... It would be nice to be able to download content (e.g. .deb or .dsc) normally downloadable via apt from an unauthenticated repository if the checksums on the content match another repository that is authenticated. Something like in sources.list: deb [UnsignedContent=true] https://unauthenticated-mirror.net/debian sid main deb https://deb.debian.org/debian sid main And then something like: $ apt update Hit:1 https://unauthenticated-mirror.example.net/debian sid Release Note: Unsigned Content repository http://unauthenticated-mirror.example.net ... Hit:6 https://deb.debian.org/debian sid InRelease ... apt download bash Note: checksums for bash matched http://deb.debian.org/debian... Get:1 http://unauthenticated-mirror.example.net/debian sid/main amd64 bash amd64 5.2.15-2+b2 [1,491 kB] This would make it much easier to host partial mirrors or snapshots without needing to mess around with signing keys (both on the mirror side, and on the client side), by relying on the checksum information from a trusted signed repository. live well, vagrant
signature.asc
Description: PGP signature