Re: First time backports install: authentication issues

On Jan 31, 2008 7:13 PM, Alexander Wirt <formorer@formorer.de> wrote:

pim schravendijk schrieb am Thursday, den 31. January 2008:

> Hi!
>
> I couldn't find the following issue on the backports.org domain, so I'll ask
> it here:
> I'm doing the first-time install of a backport on debian etch.
>
> after adding:
>
> deb http://www.backports.org/debian etch-backports main contrib non-free
>
> to sources.list and doing an apt-get update, I get, as expected:
>
> Reading package lists... Done
> W: GPG error: http://www.backports.org etch-backports Release: The following
> signatures couldn't be verified because the public key is not available:
> NO_PUBKEY EA8E8B2116BA136C
> W: You may want to run apt-get update to correct these problems
>
> As mentioned in the download instructions, I need to install the backports
> keyring:
>
> apt-get install debian-backports-keyring
>
> However, that one cannot be authenticated:
>
> WARNING: The following packages cannot be authenticated!
> debian-backports-keyring
> Install these packages without verification [y/N]?
Sure, this package is to make your debian trust backports.org. So this is
kind of a chicken and egg problem. The first package has to be
unauthenticated.

> Any software can be cricital software and I'm not running debian stable to
> get my system unstable by some untrusted software, so to just to take the
> overly paranoia approach: How can I know if I can trust this?

You can't. If you don't trust the people that run bpo - you are out of luck.

>
> Is the alternative way mentioned on:
> http://www.backports.org/dokuwiki/doku.php?id=instructions
> more trustworthy?
>
> gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C
> gpg --export | apt-key add -
A little bit... but only if you check the signatures on this key before you
add it. And of course only if you trust one of the people that signed that
key...

Alex