[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how to ask for aptitude "improvement" wrt unsigned package

On Monday 02 March 2009 12:05:20 marcausl@gmail.com wrote:
> I am using a repository that doesn't sign its package.  I know and
> trust it.

That's not exactly what the signatures are about.  They are mainly about 
preventing MitM attacks, whether from mirror administrators or someone 
attacking your internet connection directly.

> Each time I install, I get the aptitude warning, which is
> fine with me.  But I wish aptitude would tell me which repository the
> package was coming from, so I could be absolutely sure it was what I
> expect.

The best it could tell you is the URL it tried to retrieve the Release file 
from.  That's no guarantee the Release file wasn't modified on the way to 
your system or my a mirror administrator.

> Is there a place I can ask for this.  A bug system I could use?

For the URL notification I mentioned above, use reportbug against the 
aptitude package (or just send an email to the right place).

However, the repository should really be signed.  It's not that hard.  (I 
even sign my local repository that is accessed via file:// and stored on a 
local disk).  You should email the maintainer of the repository in question 
(or file a bug with their bugtracker) to have them sign it and publish the 
public key.

There's really no reason you can't file both bugs and work at the problem 
from both sides.
Boyd Stephen Smith Jr.           	 ,= ,-_-. =.
bss@iguanasuicide.net            	((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy 	 `-'(. .)`-'
http://iguanasuicide.net/        	     \_/

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: