Re: Debian packages without md5sums

To: felix@spodzone.org.uk
Cc: debian-user@lists.debian.org
Subject: Re: Debian packages without md5sums
From: Daniel Burrows <dburrows@debian.org>
Date: Mon, 01 Oct 2007 09:26:34 -0700
Message-id: <[🔎] 20071001162634.GA22490@alpaca>
In-reply-to: <fd7ifd$lnh$1@sea.gmane.org>
References: <fc4ca6$5tg$1@sea.gmane.org> <20070911181553.GB18618@localhost.localdomain> <fc9lgh$j1h$1@sea.gmane.org> <20070923083220.GA23398@debian.org> <fd7ifd$lnh$1@sea.gmane.org>

On Mon, Sep 24, 2007 at 05:37:51AM +0000, Felix Karpfen <felixk@webone.com.au> was heard to say:
> >> But How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
> >> authenticate the individual installed packages. 
> > 
> > Oh, dpkg automatically checks it for you when you use apt-get/aptitude
> > to install package.  (Unless you disable it.)
> 
> So is the answer to my question:
> 
> 	"use aptitude and not Synaptic" for installing packages?

  It shouldn't matter which frontend you use.  All the major frontends
check the signature of the Release file when you download package lists
from the archive.  The Release file contains a cryptographic checksum
for the Packages file, which contains checksums for each individual .deb
package.

  dpkg performs no key checking, at least on packages in the Debian
archive.  There was some experimental code to stick embedded signatures
into .deb files, but I don't know what it's status is and packages
containing signatures aren't allowed in the archive last I heard.

  Daniel

Reply to:

Follow-Ups:
- Re: Debian packages without md5sums
  - From: Carl Johnson <carlj@peak.org>

Prev by Date: cdrecord vs. wodim again
Next by Date: Re: Etch-backports and gpg problems (SOLVED)
Previous by thread: cdrecord vs. wodim again
Next by thread: Re: Debian packages without md5sums
Index(es):
- Date
- Thread