[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: A problem with Packages? Or is it not?



On Wed, Jul 10, 2002 at 02:45:41PM +1000, Anthony Towns wrote:
> On Mon, Jul 08, 2002 at 09:04:07PM +0200, Jakub Turski wrote:
> > 3/ Mr X changes proper line in Packages. It is not signed, so the change
> > remains unknown. Now Packages point to the malicious version of package.
> 
> [aj@cyan ~]$ lynx -source http://ftp.debian.org/debian/dists/woody/Release | grep main/binary-i386/Packages.gz
>  056de733d23e09c0b57c65aae294266f          1775249 main/binary-i386/Packages.gz
>  75dfe094198e0e6d48508cba2a926db151317c9e          1775249 main/binary-i386/Packages.gz
> 
> The former is an md5sum, the latter is an SHA1 checksum. The Release file
> has a detached signature in the Release.gpg file in the same location.
> 
> > 4/ I do 'apt-get update'. Apt download changed Packages file. 
> 
> You can verify what apt-get update downloaded using:
> 
> 	http://people.debian.org/~ajt/apt-check-sigs
> and
> 	http://ftp-master.debian.org/ziyi_key_2002.asc
> 
> It's not incredibly straightforward or particularly documented.

It sounds nice but when I try I get :

Source: deb http://http.us.debian.org/debian/ unstable main non-free
contrib
  o Origin: Debian/Debian
  o Suite: unstable/sid
  o Date: Tue, 09 Jul 2002 19:31:46 UTC
  o Description: Debian Unstable - Not Released
  * COULDN'T CHECK SIGNATURE BY KEYID: AA7DEB7B722F1AED
  * NO VALID SIGNATURE
  * PROBLEMS WITH main (NOCHECK, NOCHECK)
  * PROBLEMS WITH non-free (NOCHECK, NOCHECK)
  * PROBLEMS WITH contrib (NOCHECK, NOCHECK)

Source: deb http://non-us.debian.org/debian-non-US unstable/non-US main
contrib non-free
  o Origin: Debian/Debian
  o Suite: unstable/sid
  o Date: Tue, 09 Jul 2002 18:54:01 UTC
  o Description: Debian Unstable - Not Released
  * COULDN'T CHECK SIGNATURE BY KEYID: AA7DEB7B722F1AED
  * NO VALID SIGNATURE
  * PROBLEMS WITH main (NOCHECK, NOCHECK)
  * PROBLEMS WITH contrib (NOCHECK, NOCHECK)
  * PROBLEMS WITH non-free (NOCHECK, NOCHECK)

Have I missed a step ?

Christophe

> 
> Cheers,
> aj
> 
> -- 
> Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
> I don't speak for anyone save myself. GPG signed mail preferred.
> 
>  ``If you don't do it now, you'll be one year older when you do.''



-- 
Christophe Barbé <christophe.barbe@ufies.org>
GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8  F67A 8F45 2F1E D72C B41E

Cats seem go on the principle that it never does any harm to ask for
what you want. --Joseph Wood Krutch

Attachment: pgpmdjXUMdWKE.pgp
Description: PGP signature


Reply to: