Re: Debian packages without md5sums
On Tue, Oct 02, 2007 at 21:02:41 -0700, Carl Johnson wrote:
> Daniel Burrows writes:
[...]
> > It shouldn't matter which frontend you use. All the major frontends
> > check the signature of the Release file when you download package lists
> > from the archive. The Release file contains a cryptographic checksum
> > for the Packages file, which contains checksums for each individual .deb
> > package.
> >
> > dpkg performs no key checking, at least on packages in the Debian
> > archive. There was some experimental code to stick embedded signatures
> > into .deb files, but I don't know what it's status is and packages
> > containing signatures aren't allowed in the archive last I heard.
>
> Is there some way to get the system to re-read the release file? I
> installed the key after I upgradeed the system to etch, so all
> packages on my DVDs show as being unverified. I have tried to get it
> to clear that, but nothing I have tried has worked.
Did you try to remove all the DVD-related lines from your
/etc/apt/sources.list, run "aptitude update" and then add the DVD(s)
again using the "apt-cdrom" command? I think that should work but I have
not tested it.
If apt still complains about missing keys after that then you might have
to add one or more keys to apt's keyring. Aptitude will show the ID
of the missing key so you can download it and add it with "apt-key".
> I also noticed
> recently that some packages show multiple entries in aptitude, so
> possibly clearing the entries would clear that.
Do you mean multiple versions for the same package or the same package
name as two separate entries? (The former would be OK, the latter would
be cause for concern, I think.) Can you give an example with more
details?
--
Regards, | http://users.icfo.es/Florian.Kulzer
Florian |
Reply to: