FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 03-02-2009, 05:05 PM
 
Default how to ask for aptitude "improvement" wrt unsigned package

I am using a repository that doesn't sign its package. I know and
trust it. Each time I install, I get the aptitude warning, which is
fine with me. But I wish aptitude would tell me which repository the
package was coming from, so I could be absolutely sure it was what I expect.

Is there a place I can ask for this. A bug system I could use?
Please point me in the right direction.
--


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 03-02-2009, 06:12 PM
David Jardine
 
Default how to ask for aptitude "improvement" wrt unsigned package

On Mon, Mar 02, 2009 at 01:05:20PM -0500, marcausl@gmail.com wrote:
> I am using a repository that doesn't sign its package. I know and
> trust it. Each time I install, I get the aptitude warning, which is
> fine with me. But I wish aptitude would tell me which repository the
> package was coming from, so I could be absolutely sure it was what I expect.
>
> Is there a place I can ask for this. A bug system I could use?
> Please point me in the right direction.

Install the 'reportbug' package and file a bug against aptitude.

--
"Running Debian/GNU Linux and
loving every minute of it." -L. von Sacher-M. (1835-1895)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 03-02-2009, 07:40 PM
"Boyd Stephen Smith Jr."
 
Default how to ask for aptitude "improvement" wrt unsigned package

On Monday 02 March 2009 12:05:20 marcausl@gmail.com wrote:
> I am using a repository that doesn't sign its package. I know and
> trust it.

That's not exactly what the signatures are about. They are mainly about
preventing MitM attacks, whether from mirror administrators or someone
attacking your internet connection directly.

> Each time I install, I get the aptitude warning, which is
> fine with me. But I wish aptitude would tell me which repository the
> package was coming from, so I could be absolutely sure it was what I
> expect.

The best it could tell you is the URL it tried to retrieve the Release file
from. That's no guarantee the Release file wasn't modified on the way to
your system or my a mirror administrator.

> Is there a place I can ask for this. A bug system I could use?

For the URL notification I mentioned above, use reportbug against the
aptitude package (or just send an email to the right place).

However, the repository should really be signed. It's not that hard. (I
even sign my local repository that is accessed via file:// and stored on a
local disk). You should email the maintainer of the repository in question
(or file a bug with their bugtracker) to have them sign it and publish the
public key.

There's really no reason you can't file both bugs and work at the problem
from both sides.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
 
Old 03-03-2009, 12:05 AM
Celejar
 
Default how to ask for aptitude "improvement" wrt unsigned package

On Mon, 2 Mar 2009 14:40:54 -0600
"Boyd Stephen Smith Jr." <bss@iguanasuicide.net> wrote:

> On Monday 02 March 2009 12:05:20 marcausl@gmail.com wrote:
> > I am using a repository that doesn't sign its package. I know and
> > trust it.
>
> That's not exactly what the signatures are about. They are mainly about
> preventing MitM attacks, whether from mirror administrators or someone
> attacking your internet connection directly.
>
> > Each time I install, I get the aptitude warning, which is
> > fine with me. But I wish aptitude would tell me which repository the
> > package was coming from, so I could be absolutely sure it was what I
> > expect.
>
> The best it could tell you is the URL it tried to retrieve the Release file
> from. That's no guarantee the Release file wasn't modified on the way to
> your system or my a mirror administrator.

Or that the URL isn't being misdirected to a malicious server, perhaps
through DNS poisoning.

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 03-03-2009, 06:07 PM
Johannes Wiedersich
 
Default how to ask for aptitude "improvement" wrt unsigned package

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Boyd Stephen Smith Jr. wrote:
> On Monday 02 March 2009 12:05:20 marcausl@gmail.com wrote:
>> I am using a repository that doesn't sign its package. I know and
>> trust it.
>
> That's not exactly what the signatures are about. They are mainly about
> preventing MitM attacks, whether from mirror administrators or someone
> attacking your internet connection directly.

Or earthly things like failing disks or failing network connections.
It's always good to _verify_ that the software arrives as intended by
the packager...

Cheers,
Johannes

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmtf/gACgkQC1NzPRl9qEV2xACeKpRITgXfxAvlq77o9HcJM4Ca
XkYAn2wH1FUG+F3WjU21WqYfruj4Fjle
=1qZ2
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 05:08 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org