Re: A problem with Packages? Or is it not?

To: Debian-Devel <debian-devel@lists.debian.org>
Subject: Re: A problem with Packages? Or is it not?
From: christophe barbé <christophe.barbe.ml@online.fr>
Date: Wed, 10 Jul 2002 10:34:35 -0400
Message-id: <[🔎] 20020710143435.GU24021@localhost>
Mail-followup-to: Debian-Devel <debian-devel@lists.debian.org>
In-reply-to: <[🔎] 20020710044540.GA20532@azure.humbug.org.au>
References: <[🔎] 20020708190407.GA1811@magi> <[🔎] 20020710044540.GA20532@azure.humbug.org.au>

On Wed, Jul 10, 2002 at 02:45:41PM +1000, Anthony Towns wrote:
> On Mon, Jul 08, 2002 at 09:04:07PM +0200, Jakub Turski wrote:
> > 3/ Mr X changes proper line in Packages. It is not signed, so the change
> > remains unknown. Now Packages point to the malicious version of package.
> 
> [aj@cyan ~]$ lynx -source http://ftp.debian.org/debian/dists/woody/Release | grep main/binary-i386/Packages.gz
>  056de733d23e09c0b57c65aae294266f          1775249 main/binary-i386/Packages.gz
>  75dfe094198e0e6d48508cba2a926db151317c9e          1775249 main/binary-i386/Packages.gz
> 
> The former is an md5sum, the latter is an SHA1 checksum. The Release file
> has a detached signature in the Release.gpg file in the same location.
> 
> > 4/ I do 'apt-get update'. Apt download changed Packages file. 
> 
> You can verify what apt-get update downloaded using:
> 
> 	http://people.debian.org/~ajt/apt-check-sigs
> and
> 	http://ftp-master.debian.org/ziyi_key_2002.asc
> 
> It's not incredibly straightforward or particularly documented.

It sounds nice but when I try I get :

Source: deb http://http.us.debian.org/debian/ unstable main non-free
contrib
  o Origin: Debian/Debian
  o Suite: unstable/sid
  o Date: Tue, 09 Jul 2002 19:31:46 UTC
  o Description: Debian Unstable - Not Released
  * COULDN'T CHECK SIGNATURE BY KEYID: AA7DEB7B722F1AED
  * NO VALID SIGNATURE
  * PROBLEMS WITH main (NOCHECK, NOCHECK)
  * PROBLEMS WITH non-free (NOCHECK, NOCHECK)
  * PROBLEMS WITH contrib (NOCHECK, NOCHECK)

Source: deb http://non-us.debian.org/debian-non-US unstable/non-US main
contrib non-free
  o Origin: Debian/Debian
  o Suite: unstable/sid
  o Date: Tue, 09 Jul 2002 18:54:01 UTC
  o Description: Debian Unstable - Not Released
  * COULDN'T CHECK SIGNATURE BY KEYID: AA7DEB7B722F1AED
  * NO VALID SIGNATURE
  * PROBLEMS WITH main (NOCHECK, NOCHECK)
  * PROBLEMS WITH contrib (NOCHECK, NOCHECK)
  * PROBLEMS WITH non-free (NOCHECK, NOCHECK)

Have I missed a step ?

Christophe

> 
> Cheers,
> aj
> 
> -- 
> Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
> I don't speak for anyone save myself. GPG signed mail preferred.
> 
>  ``If you don't do it now, you'll be one year older when you do.''



-- 
Christophe Barbé <christophe.barbe@ufies.org>
GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8  F67A 8F45 2F1E D72C B41E

Cats seem go on the principle that it never does any harm to ask for
what you want. --Joseph Wood Krutch

Attachment: pgpazjHMmNwP2.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: A problem with Packages? Or is it not?
  - From: christophe barbé <christophe.barbe.ml@online.fr>
- Re: A problem with Packages? Or is it not?
  - From: Colin Watson <cjwatson@debian.org>

References:
- A problem with Packages? Or is it not?
  - From: Jakub Turski <yacoob@chruptak.plukwa.net>
- Re: A problem with Packages? Or is it not?
  - From: Anthony Towns <aj@azure.humbug.org.au>

Prev by Date: Re: Linux Fonts
Next by Date: Re: DebConf 2 post-mortem
Previous by thread: Re: A problem with Packages? Or is it not?
Next by thread: Re: A problem with Packages? Or is it not?
Index(es):
- Date
- Thread