[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apt 0.6 in experimental

On Saturday 27 December 2003 22:20, Matt Zimmerman wrote:
> On Sat, Dec 27, 2003 at 01:04:36PM +0200, George Danchev wrote:
> > On Saturday 27 December 2003 01:44, Matt Zimmerman wrote:
> > Ok, if one have an old debian installations (being upgraded for years or
> > so) where the installed packages have not been verified, then he/she
> > starts to use the new tools to verify the signatures of newly installed
> > debs. Now is there an easy way to check out how many of the installed
> > packages were verified for good signature and how many of them were not ?
> No, and I don't see much value in attempting to do so.  If you want a
> paranoid system which has only been affected by authenticated packages,
> then you need to reinstall from scratch.  It is not sufficient to upgrade
> packages which were not authenticated.
> There is still a bootstrap problem as far as obtaining authenticated copies
> of apt, gnupg, glibc and gcc, but verifiable installation media should take
> care of that for new installations.

Agreed. A trusted instalation is needed from the begining... the Release.gpg 
on the CD's will be enough to start from.


> > I'm downloading apt 0.6.1 from incoming.debian.org now. Btw, where is the
> > APT source control repo presently ? It would be nice if one can check it
> > out from cvs.debian.org, svn.debian.org or alioth.debian.org. Thanks.
> It is on cvs.debian.org as it has been for many years.

That' right and I have been using it for years. Below is my local tree last 
updated on Mon Oct 20 23:55:52 2003.

> CVSROOT=cvs.debian.org:/cvs/deity

cat CVS/Root
cvs up -Pd
cvs [update aborted]: connect to cvs.debian.org( failed: 
Connection refused

pub  4096R/0E4BD0AB 2003-03-18 <keyserver.bu.edu>
1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB 

Reply to: