On 10/23/06, Anders Johansson <andjoh@rydsbo.net> wrote:
On Monday 23 October 2006 13:34, Duff Mckagan wrote:
Thanks. But what are the disadvantages of not checking signatures?
No evidence of origin.
Viruses, trojans, backdoors, spyware, if just one of the servers you use to install from gets hacked, you will install whatever the hackers put your way. With signature checking, this wouldn't happen.
But over the past couple of years I've come to understand that most people are just too lazy for real security, which is why the common answer to your question is "disable the security check"
If you were afraid of losing the key to your house, would the solution be to remove the lock from the door? Metaphorically speaking, that is what you did by disabling the signature check
Oh, and just blindly installing some rpm containing keys, and then trusting everything signed by those keys can be likened to handing out the key to your house to anyone who asks for it.
Thanks. Nice explanation there. Now I realize that it was certainly not a good idea. Well..i solved the problem by using the --no-checksig option with apt for just one RPM. And I was quite surprised that the package that didn't have the signature was Kynaptic and not some odd software. I have the following line added to my /etc/apt/sources.list Could it be problematic? rpm http://ftp4.gwdg.de/pub/linux/suse/apt SuSE/10.0-i386 wine rpmkeys base java update-drpm update-prpm update extra kde samba3 suser-agirardet suser-liviudm suser-rbos suser-crauch suser-jengelh suser-oc2pus suser-guru suser-gbv usr-local-bin suser-tcousin suser-scorot suser-scrute suser-jogley kolab packman packman-i686 kraxel suse-people kde3-stable security-prpm security --
Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com