Re: Lenny?

To: debian-user@lists.debian.org
Subject: Re: Lenny?
From: Florian Kulzer <florian.kulzer+debian@icfo.es>
Date: Sun, 15 Feb 2009 19:29:45 +0100
Message-id: <[🔎] 20090215182945.GA1299@pc0197>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 49985325.8020108@acu.edu>
References: <[🔎] 8a2141c0902142219k77737e58v1f4f75636acf1471@mail.gmail.com> <[🔎] 4997BF8F.1050603@gmail.com> <[🔎] 20090215074005.GT1009@pear.tzafrir.org.il> <[🔎] 499813AD.3090607@acu.edu> <[🔎] 4fa87dc00902150615q226ad620u741c6fbce82af528@mail.gmail.com> <[🔎] 49982AEA.50008@acu.edu> <[🔎] 20090215152651.GA29805@pc0197> <[🔎] 49985325.8020108@acu.edu>

On Sun, Feb 15, 2009 at 11:38:45 -0600, Kent West wrote:
> Florian Kulzer wrote:
> > On Sun, Feb 15, 2009 at 08:47:06 -0600, Kent West wrote:

[...]

> >> westk[@]goshen]:/home/westk:> sudo apt-get update
> >> Password:
> >>     
> >
> > [...]
> >
> >   
> >> W: There is no public key available for the following key IDs:
> >> 4D270D06F42584E6
> >> W: You may want to run apt-get update to correct these problems
> >>     
> >
> > Check the version of your debian-archive-keyring package; the newest one
> > (2009.01.31) has this key:

[...]

> On my etch box, this package was not installed. So I installed it (and
> most all, if not all, of Gnome was removed as part of the process
> (?!!)).

I cannot see how the debian-archive-keyring would trigger the removal of
Gnome packages, therefore I would guess that this is the symptom of an
unrelated problem. What happens if you try to install Gnome again
(assuming that you want it back)?

> Now I have this version:
> 
> Sun Feb 15     11:35:06
> -------------
> westk[@]goshen]:/home/westk:> sudo aptitude show debian-archive-keyring
> Unable to find an archive "stable" for the package "debian-archive-keyring"
> Package: debian-archive-keyring
> State: installed
> Automatically installed: no
> Version: 2007.07.31~etch1

[...]

> And if I enable Lenny in my sources.list and do another update, I still
> have the same problem.
> 
> So it seems to me that there's no ("normal, everyday-user") way to
> validate that the Lenny packages are valid without first installing a
> Lenny package which you can't be sure is valid.
> 
> Am I missing something?

The Release files have two signatures at the moment to facilitate the
transition:

$ gpg -vv --list-only /var/lib/apt/lists/*_stable_Release.gpg 2>&1 | grep signature
:signature packet: algo 17, keyid A70DAF536070D3A1
:signature packet: algo 17, keyid 4D270D06F42584E6

Your apt keyring should contain A70DAF536070D3A1 ("Debian Archive
Automatic Signing Key (4.0/etch)") as a trusted key, so apt(itude)
should be able to verify one of the signatures. That is good enough
because you are trusting the Etch key already anyway. As long as
apt(itude) does not complain that a package is "untrusted" you can be
sure that there is at least one trusted signature vouching for it. (This
assumes that you did not change the default configuration regarding
verification of package integrity.) The post-installation script of the
new version of debian-archive-keyring will add the Lenny key to apt's
keyring automatically so that you are ready for the future. (The Etch
key expires on 2009-07-01.)

-- 
Regards,            | http://users.icfo.es/Florian.Kulzer
          Florian   |

Reply to:

References:
- Lenny?
  - From: Girish Kulkarni <girish@hri.res.in>
- Re: Lenny?
  - From: Jimmy Johnson <field.engineer@gmail.com>
- Re: Lenny?
  - From: Tzafrir Cohen <tzafrir@cohens.org.il>
- Re: Lenny?
  - From: Kent West <westk@acu.edu>
- Re: Lenny?
  - From: Leniy Tsan <qianweizju@gmail.com>
- Re: Lenny?
  - From: Kent West <westk@acu.edu>
- Re: Lenny?
  - From: Florian Kulzer <florian.kulzer+debian@icfo.es>
- Re: Lenny?
  - From: Kent West <westk@acu.edu>

Prev by Date: Re: Lenny?
Next by Date: Re: Lenny?
Previous by thread: Re: Lenny?
Next by thread: Re: Lenny?
Index(es):
- Date
- Thread