You might need to consider the following situation when it comes to apt repository security. You will find your answer below.
You are adding an untrusted repository
Since anyone can create a private-public key pair, so just validating the downloaded contents or apt-index with the public key won't solve the problem when the author of the repository and the owner of the key puts malicious software in the repository.
He would create a key pair. Sign the contents with his private key, then upload the contents to the repository and then upload his public key
Then you add the repository, download his public key and then try to check. Apt would verify it without issuing warning messages. You might feel you are secure, but you are not. Are you sure you believe the person who has uploaded the content?
You added a repository which has content uploaded by a person you know
This might seem safe. You know the person's name and see that he has signed the repository contents and also the index. In this case too you are insecure. Anyone can impersonate the name.
In this case you need to verify the public key. You should be knowing that person's public key and should be sure about it. If you know the person and see that the repository needs a different public key for validating the contents then you should not trust that repository.
You should know the Person's name and his public key pair together to validate the authenticity of the repository. If any of them is wrong, don't trust the repository.
This is the reason why geek and hacker circles have key-signing parties where they meet in person, shoe each other valid identity proof and then establish trust
You know the person, have the correct public key, but apt shows warnings
This might be the case when you are trying to add the repository, but your computer is not getting the correct apt URL. This might be the situation where your DNS is not working properly and someone is trying to trick you into adding the wrong repository by DNS cache poisoning.
If you get a apt warning even when you have the correct public key, then ABORT. Don't go forward. This third case is usually very rare and you should not be worried about encountering this situation.
Conclusion
When you want to add a repository and you want to be very sure you
are adding the correct repository, you need to know the person who
has uploaded the content and should be sure about his public key.
Validate the repository only against his public key and not the one
which repository owner asks you to verify against. This is the
safest mechanism. As mentioned above, it is NOT safe even if apt
doesn't give warnings when adding a repository. The contents might
be malicious.
Even if you are using a well known repository and then
apt complains, then it means that you are not adding the correct
repository. You are NOT SAFE.
You are trusting that canonical compiled the program so it did not have any tampering that is not evident in the source code, and that they verified the signature on the source code from the ubuntu developer that uploaded it, or that debian did the same for the debian developer who uploaded it, if the package came from debian. You are trusting the developer who uploaded the source package, who of course, can not thoroughly review all of the upstream code, so you are also trusting all of the upstream open source contributors.
Best Answer
Have you tried putting the acng service into offline mode?
After you've updated the dev server, add
offlinemode:1
to the acng config file and restart the server. It can still serve the cached content but won't retrieve any newer packages over the Internet.