Re: Debian packages without md5sums
On Thu, 13 Sep 2007 12:29:28 -0700, Andrew Sackville-West wrote:
> On Wed, Sep 12, 2007 at 09:25:39PM +0000, Felix Karpfen wrote:
>> How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
>> authenticate the individual installed packages.
>
> sorry, beyond me. on my system it just works.
>
>>
>> Does "untrusted" have the meaning assigned in "gpg" - i.e. "the content
>> has not been altered, but the signer is unknown"?
>
> I'm not sure.
>
>>
>> If so, then I am worrying about nothing!!
>
> not if the package is a compromised package that's been signed by the
> compromiser so that its signature is good but from an untrusted
> source, but we're outside my understanding here.
Mine too.
But an out-of-sync repository sounds a much worse fate that the remote
possibility that packages on Etch DVDs (from a reputable supplier) were
tampered with and then gpg-signed by the tamperer.
Thank you for sharing your experience.
Felix
--
Felix Karpfen
Public Key 72FDF9DF (DH/DSA)
Reply to: