Comment 2 for bug 1277678

Daniel Manrique (roadmr) wrote :

What happens is that given two sources for the same version of a package, apt-get prefers the ones that can authenticate a package. Since the local-repo packages are not signed, apt-get falls through to the remote ones.

Passing --allow-unauthenticated makes the local packages take precedence.

OK, more options :) the easiest way is to reconfigure apt-get to allow unauth'd packages to be installed. This is very easy to do but leaves users (at least the ones with systems that are connected) at risk to download unauthenticated packages from other sources.

The second option (I need to research this) would be to authenticate our packages, which would have to be done with some sort of local key (to continue working entirely offline).