Hi, On 28/01/2021 19:08, Ramin Doe wrote:
> "Currently there are two different implementations for signing > individual packages..." > I think this is referring to the GPG signature verification mechanisms > that are disabled by default. I'm happy to not try to not go down the > route of enabling GPG verification, since it seems to be poorly > documented (I haven't found a single concrete example of how to do > this), so long as I can feel that the metadata checksum method is > sufficiently reliable. I think that looking at the Release files would > go a long way to relieving my anxiety about this. Any help would be > appreciated! Check any mirror ? e.g https://debian.ethz.ch/debian/dists/buster/ > I do wish there was an official document giving a high-level TLDR > description of apt security, complete with caveats. As a bonus > cherry-on-top wish, it would be awesome if it furthermore made clear > what old mechanisms were deprecated and could be ignored! The closest thing that comes to my mind would be https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html. Hope it helps! Cheers, -- nodens
