On 5/16/05, Rikard Johnels <rikjoh@norweb.se> wrote:
The biggest problem is the fact that a lot of the packages are either NOT signed, or that the key used isn't available on the servers
When the package provider publish a signed package and forget to publish the key it is kind of impossible to find the key anywhere. Also if the package isn't signed to begin with (as a lot of them in the Xorg pile) the possibility of finding a matching key also is NIL.
The solution "set the option GPG::Check to false" circumvents the idea of signing to begin with.
Just my 2 cents...
Accepted :) That's why I suggest using GPG::Check only when you know what you are doing. Otherwise, you can set this setting permanently in /etc/apt/apt.conf.d/gpg-checker.conf That was not my advice, because that way you increase the security risk. Usually I set manually GPG::Check to false only manually, only for one package, and only all other efforts does not provide results (i..e. the package is unsigned, or I can not find the key anywhere).
--
/Rikard
" Sharing knowledge is the most fundamental act of friendship. Because it is a way you can give something without loosing something." -R. Stallman
--------------------------------------------------------------- Rikard Johnels email : rikjoh@norweb.se Mob : +46 763 19 76 25 PGP : 0x461CEE56 ---------------------------------------------------------------
Cheers Sunny