-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 02 March 2004 9:33 pm, Richard Bos wrote:

Op dinsdag 2 maart 2004 22:30, schreef Ivan Sergio Borgonovo:

...

There are several unsigned/unknown signature packages on apt repositories:

readline-devel_4.3-281_i586.rpm readline_4.3-281_i586.rpm bash_2.05b-281_i586.rpm alsa_1.0.3-0.pm.0_i586.rpm fontconfig-devel_2.2.92.20040221-0_i586.rpm fontconfig_2.2.92.20040221-0_i586.rpm kio-apt_0.8-rb1_i586.rpm subversion-devel_1.0.0-2_i586.rpm subversion_1.0.0-2_i586.rpm alsa-devel_1.0.3-0.pm.0_i586.rpm alsa-tools_1.0.3-0.pm.0_i586.rpm gqview_1.4.1-0.pm.1_i586.rpm subversion-cvs2svn_1.0.0-2_i586.rpm subversion-doc_1.0.0-2_i586.rpm subversion-viewcvs_1.0.0-2_i586.rpm

Can anyone fix/check it?

You can yourself, use '--no-checksig' to continue.

that is not acceptable. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFARQdRNclAUt2HMX8RAre0AJ0a8G6l9CNeHSOjZaFSv/qv8SWPIQCcD9uE 2NPhtZ1t0ayEQ49j85yT7/A= =DF94 -----END PGP SIGNATURE-----

On Tue, 2 Mar 2004 23:16:38 +0100 Richard Bos <radoeka@xs4all.nl> wrote:

actually all the time we used apt. The only change now is that it is being reported to you.

:( still... it has to be fixed. SUSE packages are signed and checked by YaST. It would be nice if susers and SUSE people signed theirs. The fact that I wrongly trusted the system doesn't mean I have to do it again.

On Tuesday 02 March 2004 23.27, Ivan Sergio Borgonovo wrote:

SUSE packages are signed and checked by YaST. It would be nice if susers and SUSE people signed theirs.

Um, they do. The reason you get the error is that the package is signed but you don't have the relevant key in your keychain (and imported into rpm)

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 02 March 2004 14:27, Ivan Sergio Borgonovo wrote:

On Tue, 2 Mar 2004 23:16:38 +0100

Richard Bos <radoeka@xs4all.nl> wrote:

...

actually all the time we used apt. The only change now is that it is being reported to you.

:(

still... it has to be fixed.

Very well. please submit the patches to the apt4rpm project maintainers when you're done - -- SuSE Linux 9.0 (i586) Kernel: 2.4.21-166-default / i686 | Posted from: Miverna 6:11pm up 1 day 20:02, 3 users, load average: 0.12, 0.36, 0.35 better !pout !cry better watchout lpr why santa claus <north pole >town cat /etc/passwd >list ncheck list ncheck list cat list | grep naughty >nogiftlist cat list | grep nice >giftlist santa claus <north pole > town who | grep sleeping who | grep awake who | egrep 'bad|good' for (goodness sake) { be good } nqs@tmcom.com | http://tigger.tmcom.com/~nqs/blogger.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAR+IMoS1S7SxfpzwRAjQqAJ9Aj6y04WYCJZ7JnnCgTzSnkxU5bQCgvCtZ 2E1fqLI0pKe4yvfHK0MLp98= =cogr -----END PGP SIGNATURE-----

that is not acceptable.

Richard was very polite in his response, I'm going to be less so... Richard and others provide the APT service as a free service to the SuSE community, I think that it is not acceptable to take this sort of attitude, when they would be perfectly free to withdraw the service altogether. Personally, I'm going to look into the issue of signing packages, and making the key available for future use. -- James Ogley, Webmaster, Rubber Turnip james@rubberturnip.org.uk http://www.rubberturnip.org.uk Jabber: riggwelter@myjabber.net Using Free Software since 1994, running GNU/Linux (SuSE 9.0). GNOME updates for SuSE: http://www.usr-local-bin.org

Op woensdag 3 maart 2004 01:57, schreef Ivan Sergio Borgonovo:

The problem is still there. I don't know how your packages reach the mirrors but if they land on gwdg by FTP with plain text password it is a serious problem.

They are wgetted, no passwords involved. -- Richard Bos Without a home the journey is endless

Op dinsdag 2 maart 2004 22:42, schreef Guillermo Ballester Valor:

Hello,

I'm afraid it is not because of unsigned packages. I think it may be apt-get. have you updated apt-get today?. I begun to have the same problems in other packages since then. As a test, I updated manually (using plain rpm commands) some of the packages apt said were unsigned/unknown and no problems at all.

So, any apt guru telling us what's the matter (Richard Boss?)

Guillermo

It's caused by a plugin script that checks the rpm integrity. Indeed introduced with the latest apt rpm update. But man apt tells you: --no-checksig Do not check the integrity of the packages to be installed. It can be used if the integrity check fails for 1 or more packages, but the packages have been obtained from a save origin. Configuration item: RPM::GPG-Check. The Configuration item RPM::GPG-Check can be set to false in the file /etc/apt/apt.conf.d/gpg-checker.conf (make true -> false) if you don't want to check the rpm integrity. The plugin scripts are located at: /usr/lib/apt/scripts/ Hope this helps. -- Richard Bos Without a home the journey is endless

On Tue, 2 Mar 2004 22:42:29 +0100 Guillermo Ballester Valor <gbv@oxixares.com> wrote:

...

I'm afraid it is not because of unsigned packages. I think it may be apt-get. have you updated apt-get today?. I begun to have the same problems in other packages since then. As a test, I updated manually (using plain rpm commands) some of the packages apt said were unsigned/unknown and no problems at all.

try rpm --checksig package

same result ;) so it is not apt

-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com