Re: Apt-get is insecure
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi
> > Could anyone point me to some documentation about how this fits
> > within the 'usual' apt-get update apt-get install procedure.
>
> The idea is:
> * packages are signed using debsig and get one (or more) embedded
> signatures
> * apt & friends don't look at the signature and will just see a
> normal package
> * dpkg will call debsig-verify to verify the signature and validate
> the package
>
> The last step is currently skipped since /etc/dpkg/dpkg.cfg
> includes the no-debsig option by default, otherwise debsig-verify
> would happily reject all current packages.
^^^
All or just those that are not signed correctly?
Is there the possibility to just get an warning? In potato the
no-debsig switch isn't even documented in the dpkg manpage.
Hendrik
- --
PGP ID 21F0AC0265C92061
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8HgyXIfCsAmXJIGERAkeOAJ0dNThNGOpZMpUSK/YOMzRqLsVFJQCcCr0X
fgfSd8MYNl1/jYZ7BRWmuy0=
=SAFy
-----END PGP SIGNATURE-----
Reply to: