Re: First time backports install: authentication issues
pim schravendijk schrieb am Thursday, den 31. January 2008:
> I couldn't find the following issue on the backports.org domain, so I'll ask
> it here:
> I'm doing the first-time install of a backport on debian etch.
> after adding:
> deb http://www.backports.org/debian etch-backports main contrib non-free
> to sources.list and doing an apt-get update, I get, as expected:
> Reading package lists... Done
> W: GPG error: http://www.backports.org etch-backports Release: The following
> signatures couldn't be verified because the public key is not available:
> NO_PUBKEY EA8E8B2116BA136C
> W: You may want to run apt-get update to correct these problems
> As mentioned in the download instructions, I need to install the backports
> apt-get install debian-backports-keyring
> However, that one cannot be authenticated:
> WARNING: The following packages cannot be authenticated!
> Install these packages without verification [y/N]?
Sure, this package is to make your debian trust backports.org. So this is
kind of a chicken and egg problem. The first package has to be
> Any software can be cricital software and I'm not running debian stable to
> get my system unstable by some untrusted software, so to just to take the
> overly paranoia approach: How can I know if I can trust this?
You can't. If you don't trust the people that run bpo - you are out of luck.
> Is the alternative way mentioned on:
> more trustworthy?
> gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C
> gpg --export | apt-key add -
A little bit... but only if you check the signatures on this key before you
add it. And of course only if you trust one of the people that signed that