[olug] Re: [huskerlug] The Debian Leap
Brian Wiese
bwiese at cotse.com
Sat Mar 15 09:28:00 UTC 2003
On Thu, 13 Mar 2003 19:36:20 -0600
Steve <steve at clublinux.org> wrote:
| package verification (other than a simple md5 checksum). Now I see
| support is there for signing packages in woody, but it isn't being used
| yet. I hope this changes in the near future, because I think it's quite
| important for verifying package integrity & authenticity.
Same here. I had thought there was some 'behind the scenes' package
verification done with debian packages, I looked online and found out that
this feature was indeed added into debian[1] back just _over_2_years_ago_
with the "debian-keyring" and "debsig-verify" packages. So I installed
them and tried to apt-get several packages, only to be denied since the
"verification failed" for every package I tried. I had to uninstall
"debsig-verify" to get any other software to install.
Then I did a google and found out this feature isn't even supported yet,
just the infrastructure is all that is set up.[2] =( It really is true,
"GPG is the best cypto no one is using." Sad but honestly enough, even I
need to get a new GPG key setup. We definately need some motivation to
get everyone using GnuPG/PGP and make it a common practice!
Does Gentoo or any other distro provide package verification besides RH?
This really should be a common practice[3] by now, I would hope.
[1] http://www.debian.org/News/weekly/2001/8/
[2] http://cert.uni-stuttgart.de/archive/debian/user/2002/09/msg00416.html
[3] http://www.securityfocus.com/columnists/48
peace
Brian Wiese | bwiese at cotse.com | aim: unolinuxguru
------------------------------------------------------
GnuPG/PGP key 0x1E820A73 | "FREEDOM!" - Braveheart
------------------------------------------------------
This is not about Napster or DVDs. It's about your Freedom.
I'll see your DMCA and raise you a First Amendment.
http://www.anti-dmca.org
More information about the OLUG
mailing list