Re: backports

To: debian-user@lists.debian.org
Subject: Re: backports
From: Florian Kulzer <florian.kulzer+debian@icfo.es>
Date: Sun, 24 Jun 2007 12:10:26 +0200
Message-id: <[🔎] 20070624101026.GA4439@localhost>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 467E231D.2050406@untrammelled.co.uk>
References: <[🔎] 921460.65725.qm@web58904.mail.re1.yahoo.com> <[🔎] 467CE0D9.2080905@untrammelled.co.uk> <[🔎] 20070623160324.GA14166@dementia.proulx.com> <[🔎] 467D4A23.1080002@untrammelled.co.uk> <[🔎] 20070623230745.GA4063@localhost> <[🔎] 467E231D.2050406@untrammelled.co.uk>

On Sun, Jun 24, 2007 at 08:54:05 +0100, Chris Lale wrote:
> Florian Kulzer wrote:
> [...]
> > 
> > An even better approach would be to download the Backports.org Archive
> > Key manually and to check the signature before adding the new key to
> > apt's keyring. (Installing the debian-backports-keyring package directly
> > means that an unverified post-installation script has root on your
> > computer, therefore you cannot really trust anything after that,
> > including the keys on the Debian keyring.)
> > 
> > P.S. The same goes for the debian-multimedia-keyring package.
> > 
> 
> Yes, Florian, you must be right! I wonder why they offer the keyring package?

The keyring package allows automatic installation of new signing keys,
just like debian-archive-keyring for the normal Debian pool. This is
safe - or at least as "safe" as your basic trust in Debian is - provided
that you perform the initial check. From the on, each new key can be
verified (automatically) with the old key during a transition period and
the chain of trust remains intact. (I don't know how often they will
issue a new key for the backports archive, though; the normal Debian
archive keys get updated at least once a year.)

> The instructions page does give instructions about how to install the key -
> and no mention of the debian-backports-keyring package:
> 
> 	... you can import backports.org archive’s key into apt:
> 
> 	gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C
> 	gpg --export | apt-key add -
> 
> 	or
> 
> 	wget -O - http://backports.org/debian/archive.key | apt-key add -
> 
> No mention of how to check it though. Can you check the sig before installing
> the key?

Yes, you can: Just run the "gpg ... --recv-keys ..." command as your
normal user and the new key will be added (as untrusted) to your normal
user's public keyring. Then you can perform the check:

$ gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs 16BA136C

and make sure that Joerg Jaspert's signature (key 7E7B8AC9) is valid.
After that you can feed the key to apt

$ gpg -a --export 16BA136C | sudo apt-key add -

and you are all set. If you do not want to use sudo then you can export
the key to a file before you become root:

$ gpg -a --export 16BA136C > backports-archive-key.txt
# apt-key add backports-archive-key.txt

If you have problems with the keyserver then you can use the wget
command to add the key to your public keyring:

$ wget -O - http://backports.org/debian/archive.key | gpg --import -

Then you can perform the same check before you tell apt to trust the
key. I would avoid running anything as root except for the apt-key
command.

-- 
Regards,            | http://users.icfo.es/Florian.Kulzer
          Florian   |

Reply to:

Follow-Ups:
- Re: backports
  - From: Chris Lale <chrislale@untrammelled.co.uk>
- Re: backports
  - From: Chris Lale <chrislale@untrammelled.co.uk>

References:
- backports
  - From: Francesco Pietra <chiendarret@yahoo.com>
- Re: backports
  - From: Chris Lale <chrislale@untrammelled.co.uk>
- Re: backports
  - From: bob@proulx.com (Bob Proulx)
- Re: backports
  - From: Chris Lale <chrislale@untrammelled.co.uk>
- Re: backports
  - From: Florian Kulzer <florian.kulzer+debian@icfo.es>
- Re: backports
  - From: Chris Lale <chrislale@untrammelled.co.uk>

Prev by Date: Re: Sound card not working
Next by Date: Re: scripting - cat breaking line
Previous by thread: Re: backports
Next by thread: Re: backports
Index(es):
- Date
- Thread