Re: Untrusted Source

To: debian-user@lists.debian.org
Subject: Re: Untrusted Source
From: Alex Samad <alex@samad.com.au>
Date: Thu, 11 Oct 2007 13:52:19 +1000
Message-id: <[🔎] 20071011035219.GK18816@samad.com.au>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20071010194722.2a5ff0a9.raquel@thericehouse.net>
References: <[🔎] 20071010153116.256334e8.raquel@thericehouse.net> <[🔎] 20071010223836.GD8160@titan.hooton> <[🔎] 20071010231112.GU2315@localhost.localdomain> <[🔎] 20071010194722.2a5ff0a9.raquel@thericehouse.net>

On Wed, Oct 10, 2007 at 07:47:22PM -0700, Raquel wrote:
> On Wed, 10 Oct 2007 16:11:13 -0700
> Andrew Sackville-West <andrew@farwestbilliards.com> wrote:
> 
> > On Wed, Oct 10, 2007 at 06:38:36PM -0400, Douglas A. Tutty wrote:
> > > On Wed, Oct 10, 2007 at 03:31:16PM -0700, Raquel wrote:
> > > > I'm wanting to install a package from outside Debian, Symfony.
> > > >  It's
> > > > a PHP framework.  However, I got scared because of all the
> > > > warnings that aptitude showed me.  Do I really need to be
> > > > careful of installing something like this?
> > > 
> > > Since you haven't told apt that you trust this source, then yes.
> > >  You
> > > always have to be careful installing something from an untrusted
> > > source. I've never heard of Symfony but then I don't do PHP.
> > > 
> > > Do you trust the souce for Symfony?  Does its repository have an
> > > apt keyring?  If you trust it, install the keyring and then apt
> > > will trust it.
> > 
> > but be sure to verify the keys on that keyring. 

I have a local repo in my sources list, how do I add keys to it and then to the 
apt key list ?

in my sources.list.d/local.list
deb file:///exports/shared/repository binary/
deb-src file:///exports/shared/repository source/

find /exports/shared/repository -type d

/exports/shared/repository
/exports/shared/repository/binary
/exports/shared/repository/source


and I use this to update the files
#!/bin/bash

cd /exports/shared/repository
dpkg-scanpackages binary /dev/null | gzip -9c > binary/Packages.gz
dpkg-scansources source /dev/null | gzip -9c > source/Sources.gz


Alex

> > 
> > Raquel - aptitude showed you those warnings because it couldn't
> > verify the signatures on the package you were trying to install,
> > if there were any signatures at all. If you aren't equipped with
> > the skills to verify to your own satisfaction the safety of a
> > package, then you should stick with debian packages and not move
> > outside that. 
> > 
> > A
> > 
> 
> Another thought.  This same piece of software can be installed via a
> *.tgz file and it can be installed using Pear.  Maybe one of those
> methods would be better.
> 
> -- 
> Raquel
> ============================================================
> This above all: to thine own self be true; And it must follow, as
> the night the day; Thou canst not then be false to any man.
>   --William Shakespeare, (Hamlet)
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
>

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Untrusted Source
  - From: Raquel <raquel@thericehouse.net>
- Re: Untrusted Source
  - From: "Douglas A. Tutty" <dtutty@porchlight.ca>
- Re: Untrusted Source
  - From: Andrew Sackville-West <andrew@farwestbilliards.com>
- Re: Untrusted Source
  - From: Raquel <raquel@thericehouse.net>

Prev by Date: Re: Simultaneous AC3/DTS passthrough & stereo analog output
Next by Date: Re: Dell Vostro 1700 sound problem
Previous by thread: Re: Untrusted Source
Next by thread: Re: Untrusted Source
Index(es):
- Date
- Thread