On Wed, Sep 12, 2007 at 09:25:39PM +0000, Felix Karpfen wrote:
> On Tue, 11 Sep 2007 11:15:53 -0700, Andrew Sackville-West wrote:
>
> > On Mon, Sep 10, 2007 at 09:17:59PM +0000, Felix Karpfen wrote:
> >>
> >> The fault is mine/my setup. My connection to the internet is slow;
> >> hence I am reduced to using the DVDs for upgrades. Although I procured
> >> the "official" Etch DVD set from a supplier listed by Debian, there were
> >> numerous notifications during the "dist-upgrade" that I was installing
> >> "untrusted packages".
> >
> > these errors (untrusted packages) have to do with the new secure-apt
> > system which uses gpg keys to confirm the signatures on
> > packages. Install the debian-archive-keyring package and then update.
> >
>
> The package was installed by default during the upgrade to Etch. But
> the documentation on how to use it is sparse. A new (December 2003!) apt
> routine - apt-key - can now be invoked and offers the following options:
>
> | Usage: apt-key [command] [arguments]
> |
> | Manage apt's list of trusted keys
> |
> | apt-key add <file> - add the key contained in <file> ('-' for
> stdin)
> | apt-key del <keyid> - remove the key <keyid>
> | apt-key update - update keys using the keyring package
> | apt-key list - list keys
>
>
> But How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
> authenticate the individual installed packages. sorry, beyond me. on my system it just works. ... > > Does "untrusted" have the meaning assigned in "gpg" - i.e. "the content > has not been altered, but the signer is unknown"? I'm not sure. > > If so, then I am worrying about nothing!! not if the package is a compromised package that's been signed by the compromiser so that its signature is good but from an untrusted source, but we're outside my understanding here. > > >> > >> Is there an alternative to "aptitude update" or do I have to live with the > >> missing md5sums and "untrusted packages"? > > > > there is not really any alternative to "aptitude update" > > If the update needs to be done while "online", it is probably a lost > cause. a proper online update would probably do you a lot of good in regards to the archive keys, but probably would get your repository out of sync with your dvd's. If you are installing from known good media and getting these errors, then I'd suggest that 1) you're probably okay and 2) you need to talk to whoever supplied that media and make sure they are up-to-date. A -- current song: The Killers - Everything Will Be Alright
signature.asc
Description: Digital signature
