Re: Instructions add all PGP public keys to APT

Cc: backports-users@lists.backports.org
Subject: Re: Instructions add *all* PGP public keys to APT
From: Anthony DeRobertis <aderobertis@metrics.net>
Date: Fri, 06 Mar 2009 10:45:54 -0500
Message-id: <[🔎] 49B14532.8070105@metrics.net>
In-reply-to: <[🔎] 20090306145520.GB1594@apu.snow-crash.org>
References: <s2sy6vuh6s3.fsf@poodoo.mathi.uni-heidelberg.de> <[🔎] 20090306145520.GB1594@apu.snow-crash.org>

(Sorry for the cc's; sometimes the list seems to eat my mails...)

Its quite possible to generate a key with a duplicate 32-bit hash; an
mischievous person could then upload that to the keyserver. Since
apt-key doesn't do any web-of-trust verification, apt-key would happily
accept the bogus key.

Instead, it'd be best to use the full fingerprint:

gpg --export 27034F81A2EB2840A4386C09EA8E8B2116BA136C | apt-key add -

Reply to:

References:
- Re: Instructions add *all* PGP public keys to APT
  - From: Alexander Wirt <formorer@formorer.de>

Prev by Date: Re: Why are backports of Squeeze packages in etch-backports?
Next by Date: Re: Why are backports of Squeeze packages in etch-backports?
Previous by thread: Re: Instructions add *all* PGP public keys to APT
Next by thread: Including ktechlab
Index(es):
- Date
- Thread

Re: Instructions add *all* PGP public keys to APT

Re: Instructions add all PGP public keys to APT