On Thu, 13 Mar 2003 19:36:20 -0600 Steve <[EMAIL PROTECTED]> wrote: | package verification (other than a simple md5 checksum). Now I see | support is there for signing packages in woody, but it isn't being used | yet. I hope this changes in the near future, because I think it's quite | important for verifying package integrity & authenticity.
Same here. I had thought there was some 'behind the scenes' package verification done with debian packages, I looked online and found out that this feature was indeed added into debian[1] back just _over_2_years_ago_ with the "debian-keyring" and "debsig-verify" packages. So I installed them and tried to apt-get several packages, only to be denied since the "verification failed" for every package I tried. I had to uninstall "debsig-verify" to get any other software to install. Then I did a google and found out this feature isn't even supported yet, just the infrastructure is all that is set up.[2] =( It really is true, "GPG is the best cypto no one is using." Sad but honestly enough, even I need to get a new GPG key setup. We definately need some motivation to get everyone using GnuPG/PGP and make it a common practice! Does Gentoo or any other distro provide package verification besides RH? This really should be a common practice[3] by now, I would hope. [1] http://www.debian.org/News/weekly/2001/8/ [2] http://cert.uni-stuttgart.de/archive/debian/user/2002/09/msg00416.html [3] http://www.securityfocus.com/columnists/48 peace Brian Wiese | [EMAIL PROTECTED] | aim: unolinuxguru ------------------------------------------------------ GnuPG/PGP key 0x1E820A73 | "FREEDOM!" - Braveheart ------------------------------------------------------ This is not about Napster or DVDs. It's about your Freedom. I'll see your DMCA and raise you a First Amendment. http://www.anti-dmca.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
