On Wed, Jul 09, 2014 at 10:24:18PM -0600, Kitty Cat wrote:
I seem to remember being offered security updates for the kernel, OpenSSL, SSH, etc. where my only option was to download untrusted packages. I would get warning messages from aptitude about installing security updates.
Probably a configuration error. This should be rare with the current defaults, and would be worth a question before proceeding to install untrusted packages.
Maybe there should be written a document that describes in detail in easy to understand language what steps to take to verify keys and verify that apt has not been compromised in an already installed system. And also verifying that GPG has not been compromised.
You can't. There's a long answer, but the short answer is that it isn't practically possible.
of use. Particularly useful would be instructions to check to see if your system has been compromised by validating all already installed packages. MS Windows has an option to check installed Windows components.
Which is useless in real-world terms. If it wasn't, we wouldn't see windows botnets.
Mike Stone