On Wed, Sep 12, 2007 at 09:25:39PM +0000, Felix Karpfen wrote:
> On Tue, 11 Sep 2007 11:15:53 -0700, Andrew Sackville-West wrote:
>
> > On Mon, Sep 10, 2007 at 09:17:59PM +0000, Felix Karpfen wrote:
> >>
> >> The fault is mine/my setup. My connection to the internet is slow;
> >> hence I am reduced to using the DVDs for upgrades. Although I procured
> >> the "official" Etch DVD set from a supplier listed by Debian, there were
> >> numerous notifications during the "dist-upgrade" that I was installing
> >> "untrusted packages".
> >
> > these errors (untrusted packages) have to do with the new secure-apt
> > system which uses gpg keys to confirm the signatures on
> > packages. Install the debian-archive-keyring package and then update.
> >
>
> The package was installed by default during the upgrade to Etch. But
> the documentation on how to use it is sparse. A new (December 2003!) apt
> routine - apt-key - can now be invoked and offers the following options:
>
> | Usage: apt-key [command] [arguments]
> |
> | Manage apt's list of trusted keys
> |
> | apt-key add <file> - add the key contained in <file> ('-' for stdin)
> | apt-key del <keyid> - remove the key <keyid>
> | apt-key update - update keys using the keyring package
> | apt-key list - list keys
>
>
> But How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
> authenticate the individual installed packages.
sorry, beyond me. on my system it just works.
...
>
> Does "untrusted" have the meaning assigned in "gpg" - i.e. "the content
> has not been altered, but the signer is unknown"?
I'm not sure.
>
> If so, then I am worrying about nothing!!
not if the package is a compromised package that's been signed by the
compromiser so that its signature is good but from an untrusted
source, but we're outside my understanding here.
>
> >>
> >> Is there an alternative to "aptitude update" or do I have to live with the
> >> missing md5sums and "untrusted packages"?
> >
> > there is not really any alternative to "aptitude update"
>
> If the update needs to be done while "online", it is probably a lost
> cause.
a proper online update would probably do you a lot of good in regards
to the archive keys, but probably would get your repository out of
sync with your dvd's. If you are installing from known good media and
getting these errors, then I'd suggest that 1) you're probably okay
and 2) you need to talk to whoever supplied that media and make sure
they are up-to-date.
A
--
current song: The Killers - Everything Will Be Alright
Attachment:
signature.asc
Description: Digital signature