Re: apt 0.6 in experimental
On Saturday 27 December 2003 22:20, Matt Zimmerman wrote:
> On Sat, Dec 27, 2003 at 01:04:36PM +0200, George Danchev wrote:
> > On Saturday 27 December 2003 01:44, Matt Zimmerman wrote:
> > Ok, if one have an old debian installations (being upgraded for years or
> > so) where the installed packages have not been verified, then he/she
> > starts to use the new tools to verify the signatures of newly installed
> > debs. Now is there an easy way to check out how many of the installed
> > packages were verified for good signature and how many of them were not ?
> No, and I don't see much value in attempting to do so. If you want a
> paranoid system which has only been affected by authenticated packages,
> then you need to reinstall from scratch. It is not sufficient to upgrade
> packages which were not authenticated.
> There is still a bootstrap problem as far as obtaining authenticated copies
> of apt, gnupg, glibc and gcc, but verifiable installation media should take
> care of that for new installations.
Agreed. A trusted instalation is needed from the begining... the Release.gpg
on the CD's will be enough to start from.
> > I'm downloading apt 0.6.1 from incoming.debian.org now. Btw, where is the
> > APT source control repo presently ? It would be nice if one can check it
> > out from cvs.debian.org, svn.debian.org or alioth.debian.org. Thanks.
> It is on cvs.debian.org as it has been for many years.
That' right and I have been using it for years. Below is my local tree last
updated on Mon Oct 20 23:55:52 2003.
cvs up -Pd
cvs [update aborted]: connect to cvs.debian.org(18.104.22.168):2401 failed:
pub 4096R/0E4BD0AB 2003-03-18 <keyserver.bu.edu>
1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB