Hi Goswin On Wednesday 07 Oct 2009 10:10:45 Goswin von Brederlow wrote: > Which is what I said. You just put the files into /var/lib/apt/lists/ > under the right name and apt assumes they check out. It doesn't > actualy verify them any more once they passed the initial verify and > left /partial/. > > Then, to get apt to parse the files you placed there you run > > apt_get --no-download update > > That should blindly accept the files as trusted. > This was exactly what I was doing earlier. I was writing them directly to /var/lib/apt/lists. Only with the exception that I was skipping the Release.gpg files. The downloaded files are archive files, so I was extracting them and then writing. And then if I did "apt-get upgrade", it would complain of untrusted sources. Perhaps if I allowed apt-get to do the extraction, it would have marked them as trusted. Anyway, what I have ended up with looks good. Doing a secure check of the apt updates should be good. :-) Actually this will help a lot. Person A gives apt-offline signature to Person B (A friend, running Windows) to download it for him. Person B downloaded something and returned back to Person A. At this point PersonA has an option to be ensured that the data he is going to sync to apt is really from Debian or not. Regards, Ritesh -- Ritesh Raj Sarraf RESEARCHUT - http://www.researchut.com "Necessity is the mother of invention."
Attachment:
signature.asc
Description: This is a digitally signed message part.