I am using a repository that doesn't sign its package. I know and
trust it. Each time I install, I get the aptitude warning, which is
fine with me. But I wish aptitude would tell me which repository the
package was coming from, so I could be absolutely sure it was what I expect.

Is there a place I can ask for this. A bug system I could use?
Please point me in the right direction.
--


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Mon, Mar 02, 2009 at 01:05:20PM -0500, marcausl@gmail.com wrote:
> I am using a repository that doesn't sign its package. I know and
> trust it. Each time I install, I get the aptitude warning, which is
> fine with me. But I wish aptitude would tell me which repository the
> package was coming from, so I could be absolutely sure it was what I expect.
>
> Is there a place I can ask for this. A bug system I could use?
> Please point me in the right direction.

Install the 'reportbug' package and file a bug against aptitude.

--
"Running Debian/GNU Linux and
loving every minute of it." -L. von Sacher-M. (1835-1895)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Monday 02 March 2009 12:05:20 marcausl@gmail.com wrote:
> I am using a repository that doesn't sign its package. I know and
> trust it.

That's not exactly what the signatures are about. They are mainly about
preventing MitM attacks, whether from mirror administrators or someone
attacking your internet connection directly.

> Each time I install, I get the aptitude warning, which is
> fine with me. But I wish aptitude would tell me which repository the
> package was coming from, so I could be absolutely sure it was what I
> expect.

The best it could tell you is the URL it tried to retrieve the Release file
from. That's no guarantee the Release file wasn't modified on the way to
your system or my a mirror administrator.

> Is there a place I can ask for this. A bug system I could use?

For the URL notification I mentioned above, use reportbug against the
aptitude package (or just send an email to the right place).

However, the repository should really be signed. It's not that hard. (I
even sign my local repository that is accessed via file:// and stored on a
local disk). You should email the maintainer of the repository in question
(or file a bug with their bugtracker) to have them sign it and publish the
public key.

There's really no reason you can't file both bugs and work at the problem
from both sides.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/

On Mon, 2 Mar 2009 14:40:54 -0600
"Boyd Stephen Smith Jr." <bss@iguanasuicide.net> wrote:

> On Monday 02 March 2009 12:05:20 marcausl@gmail.com wrote:
> > I am using a repository that doesn't sign its package. I know and
> > trust it.
>
> That's not exactly what the signatures are about. They are mainly about
> preventing MitM attacks, whether from mirror administrators or someone
> attacking your internet connection directly.
>
> > Each time I install, I get the aptitude warning, which is
> > fine with me. But I wish aptitude would tell me which repository the
> > package was coming from, so I could be absolutely sure it was what I
> > expect.
>
> The best it could tell you is the URL it tried to retrieve the Release file
> from. That's no guarantee the Release file wasn't modified on the way to
> your system or my a mirror administrator.

Or that the URL isn't being misdirected to a malicious server, perhaps
through DNS poisoning.

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Boyd Stephen Smith Jr. wrote:
> On Monday 02 March 2009 12:05:20 marcausl@gmail.com wrote:
>> I am using a repository that doesn't sign its package. I know and
>> trust it.
>
> That's not exactly what the signatures are about. They are mainly about
> preventing MitM attacks, whether from mirror administrators or someone
> attacking your internet connection directly.

Or earthly things like failing disks or failing network connections.
It's always good to _verify_ that the software arrives as intended by
the packager...

Cheers,
Johannes

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmtf/gACgkQC1NzPRl9qEV2xACeKpRITgXfxAvlq77o9HcJM4Ca
XkYAn2wH1FUG+F3WjU21WqYfruj4Fjle
=1qZ2
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org