Hey Steve,
thank you very much. That sounds like a valid explanation. Let me try to work this out with the third party then and see if I can get them to look into their build process.
I thought about repackaging and looked into the ar parts too, but since this then needs to be done for every version coming out, I would rather not be an additional step in between and have it working out of the box. ;)
Many thanks,
Frank
Hey team,
I'm having issues uploading a specific Debian package to ProGet:
Although the package is quite simple and contains a control file, proget says it does not.
└── pkg
├── DEBIAN
│ ├── control
│ └── md5sums
└── usr
├── bin
│ └── connecTI-Key
└── share
├── applications
│ └── connecTI-Key.desktop
└── icons
└── hicolor
├── 128x128
│ └── apps
│ └── connecTI-Key.png
├── 256x256@2
│ └── apps
│ └── connecTI-Key.png
└── 32x32
└── apps
└── connecTI-Key.png
Manual installation per apt works fine.
Unpacking it with dpkg-deb -R and repacking dpkg-deb -b seems to fix it?
I afterwards was able to upload it. It is a third party package, how can I find out why the originally provided version is not accepted?
Many thanks,
Frank
Hi Alana,
thanks, great to hear you are working on this and it is also being an improvement. :)
Waiting for the update then and wishing a good start into the week,
Frank
Hey team,
hope you are well!
With Debian 13 Trixie, I do get this error with our proget repo:
Warnung: https://proget.<reponame>/debian/<feedname>/dists/trixie/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://proget.zollsoft.de/debian/deb-proxmox/dists/bookworm/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
Error: Policy rejected packet type
Caused by:
Signature Packet v3 is not considered secure since 2026-02-01T00:00:00Z
I've read some git and reddit threads about the issue, but marking the repo as trusted and allow_insecure doesn't solve the issue for me really. At https://tracker.debian.org/pkg/apt I might have missed information about it. So checking in with you guys, if you are aware of this.
Many thanks,
Frank
Hey Alana,
thank you very much. Maybe this is some issue with our setup then. I will further check and investigate on our side first. :)
Best,
Frank
Hey Team,
when developing and testing Debian packages, I sometimes do not increase the version of the package for testing as this sometimes unneccessarily makes version increments higher than needed.
Our internal repo is replicated to an external repo from which most machines download their packages.
I stumbled accross the issue, that the package is uploaded by me to the internal repo, but it is not getting replicated to the external one, if I do not increase the version.
Can the replication be extended to check for a different timestamp / hash value, so packages will be replicated even if their version is the same, but the timestamp is newer, the hash value has changed?
Many thanks!
Frank
Hey Alana,
sorry for the late response!
And thank you for the update. You are totally right, this will not happen often, even rare, so I think we can work with this solution. :)
Have a great day,
Frank
Hey Alana,
thank you for the reply.
Our security team is asking to be able to revoke public keys and swap them out as a preventive action or in case of bad things that might happen.
While you are right, that SSL/HTTPS does secure the connection to a server, I haven't heard of signing repos is deprecated.
It ensures (besides the SSL/HTTPS) that the packages downloaded are eligible and verified for installation from the configured repo.
If this is not supported, then that's the way it is, although being able to upload a custom signing key would be a great feature. ;)
Have a great day,
Frank
Dear Support,
we are having our feeds for debian configured and they are running fine, but we are thinking about a possibility to be able to swap the automatically generated key.
In the admin settings we could not find a way to swap the key used for the repo and signing the packages to a custom one.
Does such an option exist?
Is there maybe an API to swap a signing key for a feed / repo, which can be used by CI/CD?
Many thanks!
Frank
Thank you for taking time to sort this out with me!
I greatly appreciate your efforts and will be happy, if this works out well. :)