Re: Debian packages without md5sums
Hi,
First, missing md5sum values reported by debsums are normal.
Second, signed key feature is nice security feature but it was a new
feature. During etch in testing period, I recall several problems which
errouneously made to report to be unsigned package.
On Wed, Sep 12, 2007 at 09:25:39PM +0000, Felix Karpfen wrote:
> On Tue, 11 Sep 2007 11:15:53 -0700, Andrew Sackville-West wrote:
>
> > On Mon, Sep 10, 2007 at 09:17:59PM +0000, Felix Karpfen wrote:
> >>
> >> The fault is mine/my setup. My connection to the internet is slow;
> >> hence I am reduced to using the DVDs for upgrades. Although I procured
> >> the "official" Etch DVD set from a supplier listed by Debian, there were
> >> numerous notifications during the "dist-upgrade" that I was installing
> >> "untrusted packages".
When was it? If this is upgrade from etch to lenny or sid on official
server, I will not worry too much.
> > these errors (untrusted packages) have to do with the new secure-apt
> > system which uses gpg keys to confirm the signatures on
> > packages. Install the debian-archive-keyring package and then update.
> >
>
> The package was installed by default during the upgrade to Etch. But
> the documentation on how to use it is sparse. A new (December 2003!) apt
> routine - apt-key - can now be invoked and offers the following options:
>
> | Usage: apt-key [command] [arguments]
> |
> | Manage apt's list of trusted keys
> |
> | apt-key add <file> - add the key contained in <file> ('-' for stdin)
> | apt-key del <keyid> - remove the key <keyid>
> | apt-key update - update keys using the keyring package
> | apt-key list - list keys
>
>
> But How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
> authenticate the individual installed packages.
Oh, dpkg automatically checks it for you when you use apt-get/aptitude
to install package. (Unless you disable it.)
> I have no wish to re-invent the wheel - even if I knew how. A pointer to
> documentation would help. I have the gpg package installed and have used
> it occasionally to sign my emails; but there must be a routine for using
> the Etch Stable Release Key for checking 1000+ installed Debian
> packages.
For debsums, I just filed bug report which provide command to generate
missing md5sum values from files in the package.
http://bugs.debian.org/443530
This should let you chack system better.
But my advice is do not worry too much... it should be fine. These
days, keys works nicely and next upgrade of package will check these
new packages against the archive key.
> An afterthought:
>
> Does "untrusted" have the meaning assigned in "gpg" - i.e. "the content
> has not been altered, but the signer is unknown"?
The key is created by the Debian ftp mater. He placed it to the mater
archive machine. Then there is nice automation to sign those official
packages. Since secret key is unavailable by people except ftp-master,
the proper signiture can not be faked by others. (I do not have access
to the secret archive key.)
> If so, then I am worrying about nothing!!
> >> Is there an alternative to "aptitude update" or do I have to live with the
> >> missing md5sums and "untrusted packages"?
> >
> > there is not really any alternative to "aptitude update"
>
> If the update needs to be done while "online", it is probably a lost
> cause.
Well look for mail archive (debian-user or debian-devel) on archive key
issues. You are not alone.
> Thank you for taking the time to point me in the right direction.
Good luck.
Osamu
Reply to: