[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: First time backports install: authentication issues

ok, thanx! I guess I did the best I could, then. I think that if the debian-backports-keyring package would have been in the official debian repository, I wouldn't have received that message. I can imagine there would be some practical issues to get it like that, though.

It all makes sense, I just wanted to check if I hadn't forgotten a step in the installation, or did something else wrong.

On Jan 31, 2008 7:13 PM, Alexander Wirt <formorer@formorer.de> wrote:
pim schravendijk schrieb am Thursday, den 31. January 2008:

> Hi!
> I couldn't find the following issue on the backports.org domain, so I'll ask
> it here:
> I'm doing the first-time install of a backport on debian etch.
> after adding:
> deb http://www.backports.org/debian etch-backports main contrib non-free
> to sources.list and doing an apt-get update, I get, as expected:
> Reading package lists... Done
> W: GPG error: http://www.backports.org etch-backports Release: The following
> signatures couldn't be verified because the public key is not available:
> W: You may want to run apt-get update to correct these problems
> As mentioned in the download instructions, I need to install the backports
> keyring:
> apt-get install debian-backports-keyring
> However, that one cannot be authenticated:
> WARNING: The following packages cannot be authenticated!
>   debian-backports-keyring
> Install these packages without verification [y/N]?
Sure, this package is to make your debian trust backports.org. So this is
kind of a chicken and egg problem. The first package has to be

> Any software can be cricital software and I'm not running debian stable to
> get my system unstable by some untrusted software, so to just to take the
> overly paranoia approach: How can I know if I can trust this?
You can't. If you don't trust the people that run bpo - you are out of luck.

> Is the alternative way mentioned on:
> http://www.backports.org/dokuwiki/doku.php?id=instructions
> more trustworthy?
> gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C
> gpg --export | apt-key add -
A little bit... but only if you check the signatures on this key before you
add it. And of course only if you trust one of the people that signed that


Greetings, Pim
Reply to: