Bug#596498: sources.list: add option to mark unsigned (local) repository as trusted

[Ansgar Burchardt <ansgar@43-1.org>]

tags 596498 + patch
thanks

> It would be nice if a repository could be marked as trusted in the
> sources.list.  This would make it easier to use local repositories with,
> for example, pbuilder without having to generate a PGP key, signing the
> repository and finally importing the key into apt, see also [1].

Attached is a patch to add a [trusted=1] option to sources.list.  When
present, the source is regarded as trusted even without a Release.gpg.
Documentation of this feature is still missing.

I did the following testing using apt 0.8.3 with the patch applied:
Installing from an unsigned (or signed with unknown key) repository
causes warning when [trusted=0] or no option is given in sources.list;
installing from an unsigned (or signed with unknown key) repository does
not warn when [trusted=1] is given in sources.list.

Note that "apt-get update" still warns about unknown signatures even
when [trusted=1] is given for the source.  I do not think this is
harmful as the option is mainly intended for unsigned (local)
repositories anyway.

Regards,
Ansgar

>From 8be695d713ad952381069950e4e6ca22498e37ab Mon Sep 17 00:00:00 2001
From: Ansgar Burchardt <ansgar@43-1.org>
Date: Sun, 12 Sep 2010 20:23:38 +0900
Subject: [PATCH] Add trusted option to sources.list

Signed-off-by: Ansgar Burchardt <ansgar@43-1.org>
---
 apt-pkg/deb/debmetaindex.cc |   12 ++++++++++--
 apt-pkg/deb/debmetaindex.h  |    3 ++-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc
index 717d0bc..754ea08 100644
--- a/apt-pkg/deb/debmetaindex.cc
+++ b/apt-pkg/deb/debmetaindex.cc
@@ -119,11 +119,12 @@ string debReleaseIndex::SourceIndexURI(const char *Type, const string &Section)
       return URI + "dists/" + Dist + "/" + SourceIndexURISuffix(Type, Section);
 }
 
-debReleaseIndex::debReleaseIndex(string const &URI, string const &Dist) {
+debReleaseIndex::debReleaseIndex(string const &URI, string const &Dist, bool Trusted) {
 	this->URI = URI;
 	this->Dist = Dist;
 	this->Indexes = NULL;
 	this->Type = "deb";
+	this->Trusted = Trusted;
 }
 
 debReleaseIndex::~debReleaseIndex() {
@@ -224,6 +225,9 @@ bool debReleaseIndex::GetIndexes(pkgAcquire *Owner, bool const &GetAll) const
 
 bool debReleaseIndex::IsTrusted() const
 {
+   if (Trusted)
+      return Trusted;
+
    string VerifiedSigFile = _config->FindDir("Dir::State::lists") +
       URItoFileName(MetaIndexURI("Release")) + ".gpg";
    
@@ -341,9 +345,13 @@ class debSLTypeDebian : public pkgSourceList::Type
 	    return true;
 	 }
       }
+
+      map<string, string>::const_iterator const trusted = Options.find("trusted");
+      bool Trusted = (trusted != Options.end()) ? StringToBool(trusted->second, 0) : false;
+
       // No currently created Release file indexes this entry, so we create a new one.
       // XXX determine whether this release is trusted or not
-      debReleaseIndex *Deb = new debReleaseIndex(URI, Dist);
+      debReleaseIndex *Deb = new debReleaseIndex(URI, Dist, Trusted);
       if (IsSrc == true)
 	 Deb->PushSectionEntry ("source", new debReleaseIndex::debSectionEntry(Section, IsSrc));
       else
diff --git a/apt-pkg/deb/debmetaindex.h b/apt-pkg/deb/debmetaindex.h
index 360fa54..f47e74b 100644
--- a/apt-pkg/deb/debmetaindex.h
+++ b/apt-pkg/deb/debmetaindex.h
@@ -20,10 +20,11 @@ class debReleaseIndex : public metaIndex {
 
    private:
    std::map<string, vector<debSectionEntry const*> > ArchEntries;
+   bool Trusted;
 
    public:
 
-   debReleaseIndex(string const &URI, string const &Dist);
+   debReleaseIndex(string const &URI, string const &Dist, bool Trusted = false);
    ~debReleaseIndex();
 
    virtual string ArchiveURI(string const &File) const {return URI + File;};
-- 
1.7.1