Am 05.06.18 um 10:54 schrieb KatolaZ:
> On Tue, Jun 05, 2018 at 10:31:10AM +0200, Christoph Lechleitner wrote:
>
> [cut]
>
>>
>> I wasn't actually using auto.mirror (I don't like auto-magic and I like local mirrors as well as filled proxies in our LANs), my sources.list had:
>>
>> 1. http://at.mirror.devuan.org/ as nearest mirror.
>>
>> 2. http://packages.devuan.org/ which at some point seemed to be the prime repository, to avoid problems from half-synced mirrors.
>>
>
> No need to have both. It's exactly the same machine. Look at the DNS
> records.

There still could be name based virtual hosts in place ;-)

I was probably expecting some real local mirror to take the place of at.mirror someday.


>> Using this, i.e. only my country mirror
>> http://at.deb.devuan.org/
>> with ascii-updates and ascii-security added, would bring me back to
>> vlc 3.0.2 from ascii-security (or 2.2.7 from ascii)
>> conflicting with
>> vlc-data 2.2.7 from ascii-security or ascii
>>
>

> $ apt-cache policy vlc-data
> vlc-data:
>   Installed: 3.0.2-0+deb9u1
>   Candidate: 3.0.2-0+deb9u1
>     Version table:
>      *** 3.0.2-0+deb9u1 500
>             500 http://pkgmaster.devuan.org/merged ascii-security/main amd64 Packages
>             500 http://pkgmaster.devuan.org/merged ascii-security/main i386 Packages
>             100 /var/lib/dpkg/status
>          2.2.7-1~deb9u1 500
>             500 http://pkgmaster.devuan.org/merged ascii/main amd64 Packages
>             500 http://pkgmaster.devuan.org/merged ascii/main i386 Packages

>
>
> You must probably be mixing repos here and/or have some pins in
> place. What is the output of the above command in your case?

(after apt-get clean and apt-get update and removing any an)
# apt-cache policy vlc-data
vlc-data:
  Installiert:           3.0.2-0+deb9u1
  Installationskandidat: 3.0.2-0+deb9u1
  Versionstabelle:
 *** 3.0.2-0+deb9u1 500
        500 http://pkgmaster.devuan.org/merged ascii-security/main amd64 Packages
        500 http://pkgmaster.devuan.org/merged ascii-security/main i386 Packages
        100 /var/lib/dpkg/status
     2.2.7-1~deb9u1 500
        500 http://at.mirror.devuan.org/merged ascii/main amd64 Packages
        500 http://at.mirror.devuan.org/merged ascii/main i386 Packages
        500 http://at.mirror.devuan.org/merged ascii-security/main amd64 Packages
        500 http://at.mirror.devuan.org/merged ascii-security/main i386 Packages
        500 http://pkgmaster.devuan.org/merged ascii/main amd64 Packages
        500 http://pkgmaster.devuan.org/merged ascii/main i386 Packages

So mixing is not the problem, at.mirror.devuan.org AKA packages.devuan.org simply has a vlc/vlc-data conflict in ascii-security.


After switching to
http://deb.devuan.org
as you suggested above the problem clears:

# LANG=C apt-cache policy vlc-data
vlc-data:
  Installed: 3.0.2-0+deb9u1
  Candidate: 3.0.2-0+deb9u1
  Version table:
 *** 3.0.2-0+deb9u1 500
        500 http://deb.devuan.org/merged ascii-security/main amd64 Packages
        500 http://deb.devuan.org/merged ascii-security/main i386 Packages
        100 /var/lib/dpkg/status
     2.2.7-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii/main amd64 Packages
        500 http://deb.devuan.org/merged ascii/main i386 Packages

>> One more bit: The InRelease files on pkgmaster.devuan.org seem to be signed with a key that's not in devuan-keyring.
>>
> That's not true, otherwise apt would refuse to download and install
> any package, and not only for you but for thousands of users out
> there.

It seems I have very local problem here. One of the three Devuan ascii installations I can access right now still shows this:

# LANG=C apt-get update
[...]
Reading package lists... Done
W: GPG error: http://deb.devuan.org/merged ascii InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY BB23C00C61FC752C
W: The repository 'http://deb.devuan.org/merged ascii InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
[... repeats for ascii-security, ascii-updates]


> What is the output of:
>
> # apt-cache policy devuan-keyring

# LANG=C apt-cache policy devuan-keyring
devuan-keyring:
  Installed: 2017.10.03
  Candidate: 2017.10.03
  Version table:
 *** 2017.10.03 500
        500 http://deb.devuan.org/merged ascii/main amd64 Packages
        500 http://deb.devuan.org/merged ascii/main i386 Packages
        100 /var/lib/dpkg/status

A reinstall of devuan-keyring didn't help either, btw.

Anyway, this only hits one of my machines and must be a local problem, I'll try to find out more myself.

Maybe that one machine has still traces from Debian repositories I might have had active in certain situations, or the like.


I recently had another one-machine problem:
On one of my Laptops an incomplete (!) e2fslibs package was missing the ext2fs driver libext2fs.so, hence preventing bootup.
dpkg -L e2fslibs didn't show that libext2fs.so file and it wasn't there.
The version of the package shown by dpkg was the same on other machines that had the file in real and in dpkg -L.

Maybe this is repo signature weirdness is a similar situation.


Regards,

Christoph