Re: Debian packages without md5sums
- From: Felix Karpfen <felixk@xxxxxxxxxxxxx>
- Date: Sat, 15 Sep 2007 21:16:56 +0000 (UTC)
On Thu, 13 Sep 2007 12:29:28 -0700, Andrew Sackville-West wrote:
On Wed, Sep 12, 2007 at 09:25:39PM +0000, Felix Karpfen wrote:
How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
authenticate the individual installed packages.
sorry, beyond me. on my system it just works.
Does "untrusted" have the meaning assigned in "gpg" - i.e. "the content
has not been altered, but the signer is unknown"?
I'm not sure.
If so, then I am worrying about nothing!!
not if the package is a compromised package that's been signed by the
compromiser so that its signature is good but from an untrusted
source, but we're outside my understanding here.
But an out-of-sync repository sounds a much worse fate that the remote
possibility that packages on Etch DVDs (from a reputable supplier) were
tampered with and then gpg-signed by the tamperer.
Thank you for sharing your experience.
Public Key 72FDF9DF (DH/DSA)
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx