R SIG Debian - May 2022 - Ubuntu Impish (21.10) repository complains about weak security information

Dear list,

When running `apt update` on my two Ubuntu 21.10 machines today, I
noticed that apt complains with the following message:

E: The repository 'https://cloud.r-project.org/bin/linux/ubuntu
impish-cran40/ InRelease' provides only weak security information.

N: Updating from such a repository can't be done securely, and is
therefore disabled by default.

N: See apt-secure(8) manpage for repository creation and user
configuration details.


As a result, I can't upgrade the packages any more (I was about to
upgrade from R 4.1.3 to 4.2.0).

If I replace `impish-cran40` with either `focal-cran40` or
`jammy-cran40` in `/etc/apt/sources.list.d/cran.list` the warning goes
away (although unsurprisingly upgrading packages fails because of
dependency issues).
This gives me the idea that something is wrong with the way the packages
for Ubuntu 21.10 are signed, whereas this is done correctly for 20.04
and 22.04.

There is also a StackOverflow question about this [1], so this doesn't
seem to be related to only my setup.


Best regards,

Lennart Karssen.


[1]
https://stackoverflow.com/questions/72098905/problem-with-r-impish-repo-in-ubuntu-22-04-impish-cran40

-- 
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
L.C. Karssen
Den Bosch
The Netherlands

lennart at karssen.org
http://blog.karssen.org

On 16 May 2022 at 16:54, Lennart C. Karssen wrote:
| As a result, I can't upgrade the packages any more (I was about to
| upgrade from R 4.1.3 to 4.2.0).

A brute-force (and 'insecure') fix is to add

  [trusted=yes]

between deb and the url.  Obviously, using properly signed repos with keys is
better but that is not something you have control over.

For what it is worth I too have that in my impish-cran40 line on this 21.10
machine that I reply from.

Dirk


-- 
dirk.eddelbuettel.com | @eddelbuettel | edd at debian.org