Re: Debian packages without md5sums
On Mon, Sep 24, 2007 at 05:37:51AM +0000, Felix Karpfen <email@example.com> was heard to say:
> >> But How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
> >> authenticate the individual installed packages.
> > Oh, dpkg automatically checks it for you when you use apt-get/aptitude
> > to install package. (Unless you disable it.)
> So is the answer to my question:
> "use aptitude and not Synaptic" for installing packages?
It shouldn't matter which frontend you use. All the major frontends
check the signature of the Release file when you download package lists
from the archive. The Release file contains a cryptographic checksum
for the Packages file, which contains checksums for each individual .deb
dpkg performs no key checking, at least on packages in the Debian
archive. There was some experimental code to stick embedded signatures
into .deb files, but I don't know what it's status is and packages
containing signatures aren't allowed in the archive last I heard.