Re: how to ask for aptitude "improvement" wrt unsigned package
On Mon, 2 Mar 2009 14:40:54 -0600
"Boyd Stephen Smith Jr." <firstname.lastname@example.org> wrote:
> On Monday 02 March 2009 12:05:20 email@example.com wrote:
> > I am using a repository that doesn't sign its package. I know and
> > trust it.
> That's not exactly what the signatures are about. They are mainly about
> preventing MitM attacks, whether from mirror administrators or someone
> attacking your internet connection directly.
> > Each time I install, I get the aptitude warning, which is
> > fine with me. But I wish aptitude would tell me which repository the
> > package was coming from, so I could be absolutely sure it was what I
> > expect.
> The best it could tell you is the URL it tried to retrieve the Release file
> from. That's no guarantee the Release file wasn't modified on the way to
> your system or my a mirror administrator.
Or that the URL isn't being misdirected to a malicious server, perhaps
through DNS poisoning.
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator