On Thu, 13 Sep 2007 12:29:28 -0700, Andrew Sackville-West wrote: > On Wed, Sep 12, 2007 at 09:25:39PM +0000, Felix Karpfen wrote:
>> How do you use the key(s) listed in "/etc/apt/trusted.gpg" to >> authenticate the individual installed packages. > > sorry, beyond me. on my system it just works. > >> >> Does "untrusted" have the meaning assigned in "gpg" - i.e. "the content >> has not been altered, but the signer is unknown"? > > I'm not sure. > >> >> If so, then I am worrying about nothing!! > > not if the package is a compromised package that's been signed by the > compromiser so that its signature is good but from an untrusted > source, but we're outside my understanding here. Mine too. But an out-of-sync repository sounds a much worse fate that the remote possibility that packages on Etch DVDs (from a reputable supplier) were tampered with and then gpg-signed by the tamperer. Thank you for sharing your experience. Felix -- Felix Karpfen Public Key 72FDF9DF (DH/DSA) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
