On Monday 02 March 2009 12:05:20 email@example.com wrote: > I am using a repository that doesn't sign its package. I know and > trust it. That's not exactly what the signatures are about. They are mainly about preventing MitM attacks, whether from mirror administrators or someone attacking your internet connection directly. > Each time I install, I get the aptitude warning, which is > fine with me. But I wish aptitude would tell me which repository the > package was coming from, so I could be absolutely sure it was what I > expect. The best it could tell you is the URL it tried to retrieve the Release file from. That's no guarantee the Release file wasn't modified on the way to your system or my a mirror administrator. > Is there a place I can ask for this. A bug system I could use? For the URL notification I mentioned above, use reportbug against the aptitude package (or just send an email to the right place). However, the repository should really be signed. It's not that hard. (I even sign my local repository that is accessed via file:// and stored on a local disk). You should email the maintainer of the repository in question (or file a bug with their bugtracker) to have them sign it and publish the public key. There's really no reason you can't file both bugs and work at the problem from both sides. -- Boyd Stephen Smith Jr. ,= ,-_-. =. firstname.lastname@example.org ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Description: This is a digitally signed message part.