Re: backports
Florian Kulzer wrote:
[...]
>
> An even better approach would be to download the Backports.org Archive
> Key manually and to check the signature before adding the new key to
> apt's keyring. (Installing the debian-backports-keyring package directly
> means that an unverified post-installation script has root on your
> computer, therefore you cannot really trust anything after that,
> including the keys on the Debian keyring.)
>
> P.S. The same goes for the debian-multimedia-keyring package.
>
Yes, Florian, you must be right! I wonder why they offer the keyring package?
The instructions page [1] does give instructions about how to install the key -
and no mention of the debian-backports-keyring package:
... you can import backports.org archive’s key into apt:
gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C
gpg --export | apt-key add -
or
wget -O - http://backports.org/debian/archive.key | apt-key add -
No mention of how to check it though. Can you check the sig before installing
the key?
[1] http://backports.org/dokuwiki/doku.php?id=instructions
--
Chris.
Reply to:
- Follow-Ups:
- Re: backports
- From: Florian Kulzer <florian.kulzer+debian@icfo.es>