> From: katolaz@???
>
>> To: dng@???
>>
>> On Tue, Oct 24, 2017 at 10:26:01AM -0400, Fungal-net wrote:
>>
>> [cut]
>>
>>>
>>> I reported the same in the forum and although I did not get an answer yet
>>> when earlier today I was trying to figure it out I changed all rep"s /merged/ to
>>> /devuan/ and I got working releases. The /merged/ directories of the repositories
>>> seem to not have been updated for a couple of months.
>>> I think this works for all ascii, ceres, experimental.
>>> Ohh.. and there was an update in one of the refracta pkgs as well :)
>>>
>>
>> That"s totally wrong. You should not replace /merged with /devuan
>> otherwise you won"t get any package at all, except those forked by
>> Devuan.
>>
>>> But it would be nice if one of the insideres would clarify this information as
>>> there has been ambiguity on what is what for 3-4 days now.
>>> The confusing issue is that pkgmaster or whatever is called with amprolla3
>>> in the announcement says /merged/ while they say all onion is on pkgmaster
>>> but only /devuan/ works.
>>
>> I don"t understand what you refer to, since many users are using the
>> onion address and have no problems with that. The onion address works
>> as the normal pkgmaster.devuan.org, and changing /merged with /devuan
>> is not solving your problem, only eliminating it in the wrong way
>> (since you will miss all the packages that were not forked by Devuan,
>> which are an overwhelming majority).
>>
>> The Devuan onion address works by redirecting requests of non-devuan
>> packages to a Debian onion repo. If you onion configuration is
>> correct, you should be able to use the repos without errors.
>>
>> If you could be so kind to show what error you get, we might try to
>> nail the cause down.
>
> The repository is not updated and the previous index files will be used. GPG error: tor://devuanfwojg73k6r.onion/merged ascii InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY BB23C00C61FC752C

I think I'm getting somewhere.
The merged repositories will not update because the key is expired. One would have to revert to the /devuan/ update the keyring and re-edit the repositories with the new key to be able to upgrade.
But what about proposed-updates, is this devuan or merged?
I think there is proposed-security as well.

The installation I normally use and was checked frequently didn't have the same problem as the ones that have been unattended for a month or two. Somehow it seems as the keyring was updated before the pkgmaster deal and that makes the difference.