Re: Debian packages without md5sums



On Thu, 13 Sep 2007 12:29:28 -0700, Andrew Sackville-West wrote:

On Wed, Sep 12, 2007 at 09:25:39PM +0000, Felix Karpfen wrote:

How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
authenticate the individual installed packages.

sorry, beyond me. on my system it just works.


Does "untrusted" have the meaning assigned in "gpg" - i.e. "the content
has not been altered, but the signer is unknown"?

I'm not sure.


If so, then I am worrying about nothing!!

not if the package is a compromised package that's been signed by the
compromiser so that its signature is good but from an untrusted
source, but we're outside my understanding here.

Mine too.

But an out-of-sync repository sounds a much worse fate that the remote
possibility that packages on Etch DVDs (from a reputable supplier) were
tampered with and then gpg-signed by the tamperer.

Thank you for sharing your experience.

Felix



--
Felix Karpfen
Public Key 72FDF9DF (DH/DSA)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx