Re: [SLE] Apt and unknown signatures
On Monday 16 May 2005 08:14, Richard Bos wrote:
Op maandag 16 mei 2005 20:12, schreef Jerome Lyles:
I'm using 9.3 and apt. When I try to update kaffeine for example I get this message:
APT system reports: E: Error(s) while checking package signatures: 0 unsigned package(s) 4 package(s) with unknown signatures 0 package(s) with illegal/corrupted signatures
I am using the rpmkeys component. How can I fix this?
From which apt component does the package come from: 'apt showpkg kaffeine \ head', shows this in the version line. With this information you should be able to figure the right rpmkey
Or use Use apt with the --no-checksig option.
# apt showpkg kaffeine \ head snip W:Unable to locate package / W:Unable to locate package head I don't want to use --no-checksig option unless there's no other way. Thanks, Jerome
On 5/17/05, Susemail
# apt showpkg kaffeine \ head snip W:Unable to locate package / W:Unable to locate package head
#apt-cache showpkg kaffeine | head This will show first 10 lines of the package info. Usually on the first line is the repository, where from the package came. For me: suse:/home/sunny # apt showpkg kaffeine | head Package: kaffeine Versions: 0.6-0.pm.0(/var/state/apt/lists/ftp.gwdg.de_pub_linux_suse_apt_SuSE_9.1-i386_base_pkglist.packman-i686)(/var/lib/rpm/Packages) Which says that my kaffeine was packaged by packman, and if I need, I have to look for his rpmkey. Cheers Sunny
On Tuesday 17 May 2005 20:22, Sunny wrote:
Which says that my kaffeine was packaged by packman, and if I need, I have to look for his rpmkey.
packman isn't one person, it is a web site where several people (and therefore several gpg keys) contribute. You'd need to import them all. Also note that blindly importing keys you don't know anything about is no better than just ignoring the key completely. Trust is everything. Not saying you can't trust the keys in apt, I'm just saying you need to think about what you're doing. Do you know who the person is? Can he/she be traced if there's a major problem with the packages? Blind trust is stupid trust This isn't a problem now (perhaps. There are many 'regular users' contributing to the package repos that I know nothing at all about), but it will be in future as linux grows in popularity. Even now it would be a piece of cake to spread malicious code, simply create a package, subscribe to this list using some anonymous address and start promoting the package. So far I have seen very few people that appear like they would think twice about installing it. Please don't let Linux go down the same security quagmire that other OSes has. Please think. And to the admins of these repos: please consider establishing a web of trust where everything is transparent, so end users can see what's going on and who is involved
On Tuesday 17 May 2005 08:38, Anders Johansson wrote:
On Tuesday 17 May 2005 20:22, Sunny wrote:
Which says that my kaffeine was packaged by packman, and if I need, I have to look for his rpmkey.
packman isn't one person, it is a web site where several people (and therefore several gpg keys) contribute. You'd need to import them all.
Also note that blindly importing keys you don't know anything about is no better than just ignoring the key completely. Trust is everything.
It's a 'Catch 22' or/and we are already in the quagmire.
Not saying you can't trust the keys in apt, I'm just saying you need to think about what you're doing. Do you know who the person is? Can he/she be traced if there's a major problem with the packages? Blind trust is stupid trust
This isn't a problem now (perhaps. There are many 'regular users' contributing to the package repos that I know nothing at all about), but it will be in future as linux grows in popularity.
Even now it would be a piece of cake to spread malicious code, simply create a package, subscribe to this list using some anonymous address and start promoting the package. So far I have seen very few people that appear like they would think twice about installing it.
Please don't let Linux go down the same security quagmire that other OSes has. Please think.
And to the admins of these repos: please consider establishing a web of trust where everything is transparent, so end users can see what's going on and who is involved
participants (3)
-
Anders Johansson -
Sunny -
Susemail