[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GPG verification of apt packages


On 28/01/2021 19:08, Ramin Doe wrote:

> "Currently there are two different implementations for signing
> individual packages..."
> I think this is referring to the GPG signature verification mechanisms
> that are disabled by default. I'm happy to not try to not go down the
> route of enabling GPG verification, since it seems to be poorly
> documented (I haven't found a single concrete example of how to do
> this), so long as I can feel that the metadata checksum method is
> sufficiently reliable. I think that looking at the Release files would
> go a long way to relieving my anxiety about this. Any help would be
> appreciated!

Check any mirror ? e.g https://debian.ethz.ch/debian/dists/buster/

> I do wish there was an official document giving a high-level TLDR
> description of apt security, complete with caveats. As a bonus
> cherry-on-top wish, it would be awesome if it furthermore made clear
> what old mechanisms were deprecated and could be ignored!

The closest thing that comes to my mind would be
Hope it helps!



Reply to: