[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how to ask for aptitude "improvement" wrt unsigned package

On Mon, 2 Mar 2009 14:40:54 -0600
"Boyd Stephen Smith Jr." <bss@iguanasuicide.net> wrote:

> On Monday 02 March 2009 12:05:20 marcausl@gmail.com wrote:
> > I am using a repository that doesn't sign its package.  I know and
> > trust it.
> 
> That's not exactly what the signatures are about.  They are mainly about 
> preventing MitM attacks, whether from mirror administrators or someone 
> attacking your internet connection directly.
> 
> > Each time I install, I get the aptitude warning, which is
> > fine with me.  But I wish aptitude would tell me which repository the
> > package was coming from, so I could be absolutely sure it was what I
> > expect.
> 
> The best it could tell you is the URL it tried to retrieve the Release file 
> from.  That's no guarantee the Release file wasn't modified on the way to 
> your system or my a mirror administrator.

Or that the URL isn't being misdirected to a malicious server, perhaps
through DNS poisoning.

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
Reply to: