Dear Maintainer, The warning first appeared for debian weekly build for 20151207, and remains in latest weekly build for 20151214. The warnings did not appear before. Steps to reproduce: Write debian testing weekly build to usb flash (http://cdimage.debian.org/cdimage/weekly-builds/i386/jigdo-dvd/debian-testing-i386-DVD-1.jigdo) Run these commands: $ sudo apt-get update Reading package lists... Done $ mount|grep cdrom $ sudo apt-cdrom add Using CD-ROM mount point /media/cdrom/ Unmounting CD-ROM... Waiting for disc... Please insert a Disc in the drive and press [Enter] <in other terminal run "sudo mount /dev/sdb1 /media/cdrom/"> Mounting CD-ROM... Identifying... [5dce0a5d52ec05a9ded11e0aba6fc448-2] Scanning disc for index files... Found 2 package indexes, 0 source indexes, 2 translation indexes and 0 signatures This disc is called: 'Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22' Reading Package Indexes... Done Reading Translation Indexes... Done Writing new source list Source list entries for this disc are: deb cdrom:[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22]/ stretch contrib main Unmounting CD-ROM... Repeat this process for the rest of the CDs in your set. $ mount|grep cdrom $ sudo mount /dev/sdb1 /media/cdrom/ mount: /dev/sdb1 is write-protected, mounting read-only $ sudo apt-get update Ign:1 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch InRelease Ign:2 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch Release Hit:3 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/contrib i386 Packages Ign:4 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/contrib all Packages Ign:5 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/contrib Translation-en_US Hit:6 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/contrib Translation-en Hit:7 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/main i386 Packages Ign:8 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/main all Packages Ign:9 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/main Translation-en_US Hit:10 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/main Translation-en Ign:4 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/contrib all Packages Ign:5 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/contrib Translation-en_US Ign:8 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/main all Packages Ign:9 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/main Translation-en_US Ign:4 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/contrib all Packages Ign:5 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/contrib Translation-en_US Ign:8 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/main all Packages Ign:9 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/main Translation-en_US Ign:4 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/contrib all Packages Ign:5 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/contrib Translation-en_US Ign:8 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/main all Packages Ign:9 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/main Translation-en_US Ign:4 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/contrib all Packages Ign:5 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/contrib Translation-en_US Ign:8 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/main all Packages Ign:9 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/main Translation-en_US Reading package lists... Done W: The repository 'cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch Release' does not have a Release file. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. N: See apt-secure(8) manpage for repository creation and user configuration details. Why do these warnings appear and what should be done to remove them? BTW, I noticed that while installing packages apt-get reports packages from cdrom, which it did not do before, like this: Get:315 cdrom://[Debian GNU/Linux testing _Stretch_ - Official Snapshot i386 DVD Binary-1 20151214-05:22] stretch/main i386 socat i386 1.7.3.0-1 [346 kB]
In apt-secure(8) manpage it is said that there must be Release.gpg or InRelease in addition to Release. Is there a way to disable this warning? Maybe this Release.gpg or InRelease should be provided by default on official iso image, because it is already verified by checksum?
This bug report may be closed.
Dear Maintainer, FWIW, I'd rather this not just be closed but something be done about it. Using official ISO images, actually using them, not just booting off them, should not result in scary warnings or losing apt-secure. Which is it, anyway? Do the images not have the necessary files (why?), does apt-cdrom not handle them correctly ...? Regards, Christian Pernegger
First of all, thank you very much for maintaining
apt.
It seems to me that Debian's fine system
administration tools, like apt, make the life of
system administrators easier.
The main reason I'm writing is I may have
replicated the bug originally reported here.
In 2019.
While trying to upgrade a computer running stable
to testing on DVDs.
Here's what I tried:
root$ cd-rom add # With testing DVD 1 in the optical drive
root$ cd-rom add # With testing DVD 2 in the optical drive
root$ cd-rom add # With testing DVD 3 in the optical drive
root$ apt update
Ign:1 cdrom://[Debian GNU/Linux testing _Bullseye_ - Official Snapshot i386 DVD Binary-1 (date and time bla bla bla)] bullseye InRelease
(5 similar error messages)
Err:7 cdrom://[Debian GNU/Linux testing _Bullseye_ - Official Snapshot i386 DVD Binary-1 (date and time bla bla bla)] bullseye Release
Please use apt-cdrom to make this CD-ROM recognized by APT. apt-get update cannot be used to add new CD-ROMs
(10 similar error messages)
Reading package lists... Done
E: The repository 'cdrom://[Debian GNU/Linux testing _Bullseye_ - Official Snapshot i386 DVD Binary-1 (date and time bla bla bla)] Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
(10 similar error messages)
N: See apt-secure(8) manpage for repository creation and user configuration details.
I also tried
root$ apt-get update
and editing /etc/apt/sources.list by
commenting out stable's cdrom lines and
inserting between the words "deb" and "cdrom:"
[ trusted=yes ] and
[ trusted=yes allow-insecure=yes ]
No luck.
So,
Kingsley
Sorry, I just discovered this bug report. I have been having this problem
for years, and don't remember when it started. I have been using a
workaround, but would like to find a better solution. I see the
workaround I have been using is one of those Kingsley G. Morse tried
but could not get to work.
The workaround is, after registering each CD-ROM using apt-cdrom,
modify the /etc/sources.list file. Edit it to add the "trusted" flag to
the entry for each CD-ROM. (In my case, I am using DVDs.) For example:
deb [trusted=yes] cdrom:[Debian GNU/Linux 10.9.0 _Buster_ - Official
amd64 DVD Binary-2 20210327-10:39]/ buster contrib main
Then run "apt update". Which now works, although it generates an
annoying number of "ign:" messages.
Presumably it is okay to "trust" your CD-ROM set because you have
physical control of it, and thus are reasonably sure it has not been
tampered with. However, recently I happened to read the apt-secure man
page, which warns that some future release of apt will no longer honor
flags like "trust". That warning started me hunting for a better
solution. Haven't found it yet, but did find this bug report.
I can replicate the bug in a variety of situations, but below I give an
example of a particularly simple test case:
I am running Debian stable amd-64 with a fairly standard desktop
selection of packages. First I use my favorite Internet mirror to
update to the latest stable release 10.9. No problems. Then,
I download the first few DVD images of the same release. So far,
these are reasonable actions for someone who doesn't always have good
Internet. Next, register the DVDs using apt-cdrom, but for testing
purposes, I only register one of them. I choose the second DVD of the set,
because I happen to know the names of some packages it contains but I have
not yet installed. Next, I disable the Internet repository, by editing
/etc/sources.list to comment out its entry. Then run "apt update", which
results in the following errors:
Ign:1 cdrom://[Debian GNU/Linux 10.9.0 _Buster_ - Official amd64
DVD Binary-2 20210327-10:39] buster InRelease
Err:2 cdrom://[Debian GNU/Linux 10.9.0 _Buster_ - Official amd64
DVD Binary-2 20210327-10:39] buster Release
Please use apt-cdrom to make this CD-ROM recognized by APT. apt-get
update cannot be used to add new CD-ROMs
Hit:3 http://security.debian.org/debian-security buster/updates
InRelease
Reading package lists... Done
E: The repository 'cdrom://[Debian GNU/Linux 10.9.0 _Buster_ -
Official amd64 DVD Binary-2 20210327-10:39] buster Release' does not
have a Release file.
N: Updating from such a repository can't be done securely,
and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user
configuration details.
Next, I verify the DVD really was excluded from the update. I run "apt
search" on some of its packages. As expected, "apt search" does not find
them.
To test the workaround, I apply it as described above. After running
"apt update" I then run "apt search" for the same packages as before,
confirming apt now knows they exist. I then run "apt install" on one of
the packages on DVD #2, and confirm it installs okay.