on LMDE mintUpdate warns: software can't be authenticated

[rpr-nospam]

Hi!

I'd like to raise an old issue with mintUpdate (Mint Update Manager) which is still present, IMHO.

Code: Select all

$ dpkg -l | grep mintupdate
ii  mintupdate-debian 1.0.6 all Update Manager

LMDE x64 tracks Debian Testing with some additional repositories which are not crucial for the issue (it is also present with the additional repos removed):

Code: Select all

$ inxi -r
Repos:     Active apt sources in file: /etc/apt/sources.list
           deb [arch=amd64,i386] http://ftp.hr.debian.org/debian/ testing main contrib non-free
           deb [arch=amd64,i386] http://ftp.hr.debian.org/debian/ experimental main contrib non-free
           deb [arch=amd64,i386] http://security.debian.org testing/updates main
           deb [arch=amd64,i386] http://packages.linuxmint.com/ debian main upstream import backport
           deb [arch=amd64,i386] http://debian.mur.at/debian-multimedia/ testing main non-free
           Active apt sources in file: /etc/apt/sources.list.d/multisystem.list
           deb http://liveusb.info/multisystem/depot all main
           Active apt sources in file: /etc/apt/sources.list.d/x2go.list
           deb http://packages.x2go.org/debian jessie main

When I try to upgrade packages in mintUpdate the following warning is displayed:

You are about to install software that can't be authenticated! Doing this could allow a malicious individual to damage or take control of your system.

Here is the screenshot:

mintUpdate_warning.png

In /usr/lib/linuxmint/mintUpdate/mintUpdate.py I found out that it invokes synaptic for upgrading packages. But if I try to do the upgrade in synaptic, it doesn't show the warning:

synaptic_upgrade.png

Moreover, both apt-get and aptitude don't show the warning:

Code: Select all

$ sudo apt-get upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be upgraded:
  coreutils libbit-vector-perl libbrlapi0.6 libnewt0.52 libsnmp-base
  libsnmp30 python-brlapi python-crypto python-dbus python-lxml
  python-markupsafe python-numpy python-openssl python-sip
  python-zope.interface python3-dbus whiptail
17 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 14.2 MB of archives.
After this operation, 2,284 kB of additional disk space will be used.
Do you want to continue [Y/n]? 

Code: Select all

$ sudo aptitude upgrade
The following packages will be upgraded: 
  coreutils libbit-vector-perl libbrlapi0.6 libnewt0.52 libsnmp-base
  libsnmp30 python-brlapi python-crypto python-dbus python-lxml
  python-markupsafe python-numpy python-openssl python-sip
  python-zope.interface python3-dbus whiptail 
17 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 14.2 MB of archives. After unpacking 2,284 kB will be used.
Do you want to continue? [Y/n/?] 

Here are the keys used by apt to authenticate packages:

Code: Select all

$ sudo apt-key list
/etc/apt/trusted.gpg
--------------------
pub   1024D/0FF405B2 2009-04-29
uid                  Clement Lefebvre (Linux Mint Package Repository v1) <root (@) linuxmint.com>
sub   2048g/0F346519 2009-04-29

pub   1024D/1F41B907 1999-10-03
uid                  Christian Marillat <marillat (@) debian.org>
uid                  Christian Marillat <marillat (@) free.fr>
sub   1536g/C28DCC42 1999-10-03
sub   1024D/5D3877A7 2002-08-26

pub   1024D/96F89133 2009-02-09
uid                  Oleksandr Shneyder <oleksandr.shneyder (@) obviously-nice.de>
sub   2048g/76AC2B76 2009-02-09

pub   2048R/5BFE2B6E 2011-03-10
uid                  X2go Debian/Ubuntu Packaging <debian (@) x2go.org>
sub   2048R/F489CDCF 2011-03-10

pub   2048R/DD7FB8CC 2010-06-28
uid                  Fabre François (multiboot gpg key) <liveusb (@) gmail.com>
sub   2048R/6FECE640 2010-06-28

pub   1024D/7FAC5991 2007-03-08
uid                  Google, Inc. Linux Package Signing Key <linux-packages-keymaster (@) google.com>
sub   2048g/C07CB649 2007-03-08

/etc/apt/trusted.gpg.d//debian-archive-squeeze-automatic.gpg
------------------------------------------------------------
pub   4096R/473041FA 2010-08-27 [expires: 2018-03-05]
uid                  Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster (@) debian.org>

/etc/apt/trusted.gpg.d//debian-archive-squeeze-stable.gpg
---------------------------------------------------------
pub   4096R/B98321F9 2010-08-07 [expires: 2017-08-05]
uid                  Squeeze Stable Release Key <debian-release (@) lists.debian.org>

/etc/apt/trusted.gpg.d//debian-archive-wheezy-automatic.gpg
-----------------------------------------------------------
pub   4096R/46925553 2012-04-27 [expires: 2020-04-25]
uid                  Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster (@) debian.org>

/etc/apt/trusted.gpg.d//debian-archive-wheezy-stable.gpg
--------------------------------------------------------
pub   4096R/65FFB764 2012-05-08 [expires: 2019-05-07]
uid                  Wheezy Stable Release Key <debian-release (@) lists.debian.org>

I conclude that mintUpdate finds a problem with authentication of packages while the other tools do not.

Is there a bug in mintUpdate regarding this? (Clement Lefebvre and Chris Hodapp are listed as the authors of mintUpdate.)

-- rpr.

[Monsta]

A little research (involving a lot of fuss with snapshot.debian.org) showed me that it broke on update of apt from 0.9.7.8~exp2 to 0.9.7.8. Particularly [url=http://anonscm.debian.org/gitweb/?p=apt/apt.git;a=commit;h=55971004215609a02ca19c59bd058da20729ba11]this commit[/url] is the one responsible.