[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian packages without md5sums

On Thu, 13 Sep 2007 12:29:28 -0700, Andrew Sackville-West wrote:

> On Wed, Sep 12, 2007 at 09:25:39PM +0000, Felix Karpfen wrote:

>> How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
>> authenticate the individual installed packages. 
> 
> sorry, beyond me. on my system it just works. 
> 
>> 
>> Does "untrusted" have the meaning assigned in "gpg" - i.e. "the content
>> has not been altered, but the signer is unknown"?
> 
> I'm not sure.
> 
>> 
>> If so, then I am worrying about nothing!!
> 
> not if the package is a compromised package that's been signed by the
> compromiser so that its signature is good but from an untrusted
> source, but we're outside my understanding here.

Mine too.

But an out-of-sync repository sounds a much worse fate that the remote
possibility that packages on Etch DVDs (from a reputable supplier) were
tampered with and then gpg-signed by the tamperer.

Thank you for sharing your experience.

Felix
-- 
Felix Karpfen
Public Key 72FDF9DF (DH/DSA)
Reply to: