Re: Debian packages without md5sums

To: debian-user@lists.debian.org
Subject: Re: Debian packages without md5sums
From: Felix Karpfen <felixk@webone.com.au>
Date: Wed, 12 Sep 2007 21:25:39 +0000 (UTC)
Message-id: <[🔎] fc9lgh$j1h$1@sea.gmane.org>
Reply-to: felix@spodzone.org.uk
References: <[🔎] fc4ca6$5tg$1@sea.gmane.org> <[🔎] 20070911181553.GB18618@localhost.localdomain>

On Tue, 11 Sep 2007 11:15:53 -0700, Andrew Sackville-West wrote:

> On Mon, Sep 10, 2007 at 09:17:59PM +0000, Felix Karpfen wrote:
>> 
>> The fault is mine/my setup.  My connection to the internet is slow;
>> hence I am reduced to using the DVDs for upgrades.  Although I procured
>> the "official" Etch DVD set from a supplier listed by Debian, there were
>> numerous notifications during the "dist-upgrade" that I was installing
>> "untrusted packages".
> 
> these errors (untrusted packages) have to do with the new secure-apt
> system which uses gpg keys to confirm the signatures on
> packages. Install the debian-archive-keyring package and then update.
> 

The package was installed by default during the upgrade to Etch.  But
the documentation on how to use it is sparse.  A new (December 2003!) apt
routine - apt-key - can now be invoked and offers the following options:

| Usage: apt-key [command] [arguments]
| 
| Manage apt's list of trusted keys
| 
|   apt-key add <file>          - add the key contained in <file> ('-' for stdin)
|   apt-key del <keyid>         - remove the key <keyid>
|   apt-key update              - update keys using the keyring package
|   apt-key list                - list keys

But How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
authenticate the individual installed packages. 

I have no wish to re-invent the wheel - even if I knew how. A pointer to
documentation would help. I have the gpg package installed and have used
it occasionally to sign my emails; but there must be a routine for using
the Etch Stable Release Key for checking 1000+ installed Debian
packages.

An afterthought:

Does "untrusted" have the meaning assigned in "gpg" - i.e. "the content
has not been altered, but the signer is unknown"?

If so, then I am worrying about nothing!!

>> 
>> Is there an alternative to "aptitude update" or do I have to live with the
>> missing md5sums and "untrusted packages"?
> 
> there is not really any alternative to "aptitude update" 

If the update needs to be done while "online", it is probably a lost
cause.

Thank you for taking the time to point me in the right direction.

Felix Karpfen

-- 
Felix Karpfen
Public Key 72FDF9DF (DH/DSA)

Reply to:

Follow-Ups:
- Re: Debian packages without md5sums
  - From: Andrew Sackville-West <andrew@farwestbilliards.com>
- Re: Debian packages without md5sums
  - From: Osamu Aoki <osamu@debian.org>

References:
- Debian packages without md5sums
  - From: Felix Karpfen <felixk@webone.com.au>
- Re: Debian packages without md5sums
  - From: Andrew Sackville-West <andrew@farwestbilliards.com>

Prev by Date: Re: Auto moving junk to trash in Icedove
Next by Date: Accessing software programs from disk
Previous by thread: Re: Debian packages without md5sums
Next by thread: Re: Debian packages without md5sums
Index(es):
- Date
- Thread