On Mon, Mar 23, 2026 at 7:29 AM Olaf Meeuwissen <paddy-hack@???>
wrote:

> I suggest using apt modernize-sources to change your source.list to e.g.
> sources.list.d/devuan.sources. This format makes it somewhat easier to
> use a single Singed-By: for a pile of suites and components, like so
>
>
That command gave an error, "Could not determine Signed-By for URIs: [all
of them]."
Fortunately, I backed up /etc/apt, so whatever damage it did can be undone.

>   Types: deb
>   URIs: http://deb.devuan.org/merged
>   Suites: excalibur-security excalibur
>   Components: main non-free-firmware
>   Signed-By:
>     /etc/apt/trusted.gpg.d/devuan-keyring-excalibur-archive.asc

>
> Feel free to add suites, e.g. excalibur-updates or excalibur-backports,
> and components, e.g. contrib or non-free.
>
> >You did not need [signed-by] before because APT checked *all* of the
> >keys below /etc/apt/trusted.gpg.d/ and in /etc/apt/trusted.gpg for each
> >of your sources. That is not overly secure. With the above those
> >excalibur sources will only be checked with that single key. My docker
> >sources
>

It was probably more secure than what I'm probably going to go with from
now on,
which is just to override all key signing with --allow-unauthenticated, and
whatever the option was in whatever file it was (I've forgotten already).
That's
what happens when developers make things more difficult in the name of
"security." I'm
not going to accept the burden of having to manually manage which key is
expected to
have signed my OS packages.