Hello, On antradienis 14 Rugsėjis 2010 13:09:37 Torsten Grote wrote: > Another note on security: > pkg-kde-archive-keyring seems to be hosted on the same repository it is > supposed to verify the trustworthiness of and it is not signed with an > already trusted key. Installing an untrusted key and trust that for all > KDE packages is pointless for security. Well, frankly, pkg-kde-archive-keyring is not a very good example of security, but imho it is good enough for this purpose. It is there mostly to shut apt/aptitude up. Have in mind that you already trust the repository enough by adding it to sources.list. However, you are still somewhat protected from man-in-the-middle attacks. The archive key is signed by me and my key is in the debian developers keyring so you can always validate pkg-kde-archive-keyring package. $ gpg --no-default-keyring --keyring /usr/share/keyrings/pkg-kde-archive- keyring.gpg --list-sigs E79C8BAB pub 4096R/E79C8BAB 2010-03-05 uid Debian pkg-kde repository signing key (http://pkg- kde.alioth.debian.org/) <debian-qt-kde@lists.debian.org> sig 3 E79C8BAB 2010-03-05 Debian pkg-kde repository signing key (http://pkg-kde.alioth.debian.org/) <debian-qt-kde@lists.debian.org> sig 73EAE214 2010-03-05 [User ID not found] -- Modestas Vainius <modestas@vainius.eu>
Attachment:
signature.asc
Description: This is a digitally signed message part.