I just wanted to clarify some of the things that were said above. First of all, Devuan does not want to "extort" anything ;)
Second, OmegaPhil approached us on IRC saying that Devuan "had" to set Origin, because having it blank was breaking "aptitude changelog", which "verifies" the source of the repo. I pointed out that, according to: https://wiki.debian.org/DebianRepository/Format#Origin Origin is an "Optional field indicating the origin of the repository, a single line of free form text". So, the check currently implemented in aptitude, based on matching the optional "single line of free form text" contained in Origin, is *not* useful to "verify" anything. It can only verify that the distributor (whoever they are, not necessarily Debian or Ubuntu or Devuan) has put that specific string in Origin. We all know that the only way to check that a repo is genuinely from Debian is by verifying that the corresponding Release files were signed with the release keys published at: https://ftp-master.debian.org/keys.html so that specific check OmegaPhil is referring to is not adding any extra level of security. I personally think that a sane solution would be to have that check configurable in aptitude, but I don't see it as a priority, TBH. My personal take is that, if a fix is implemented, the users should be warned that those extra checks based on Origin are only indicative, and do not add any level of security. Hope this helps to clarify this matter. Thanks again for your work on Debian and aptitude: it is very much appreciated. HND KatolaZ -- [ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ] [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ]
signature.asc
Description: Digital signature