On Mon, Sep 10, 2007 at 09:17:59PM +0000, Felix Karpfen wrote: > > The fault is mine/my setup. My connection to the internet is slow; > hence I am reduced to using the DVDs for upgrades. Although I procured > the "official" Etch DVD set from a supplier listed by Debian, there were > numerous notifications during the "dist-upgrade" that I was installing > "untrusted packages". And, due to my slow internet connection, I refrained > from running the recommended "aptitude update" at the end of the > successful "dist-upgrade".
these errors (untrusted packages) have to do with the new secure-apt system which uses gpg keys to confirm the signatures on packages. Install the debian-archive-keyring package and then update. > > Is there an alternative to "aptitude update" or do I have to live with the > missing md5sums and "untrusted packages"? there is not really any alternative to "aptitude update" unless you consider some other apt front-end an alternative (apt-get, synaptic) but they all do the same thing. The missing md5 sums has nothing to do with the trusted/untrusted packages issue. In theory, you have installed packages that may be compromised due to the failure to check the signatures. In practice, this is probably not a real issue. You could pull known-good debs from somewhere and compare md5sums to confirm that your installation is good, but its probably not worth the effort, unless you have some reason to be concerned about compromise. You definitely should make sure you read up on the debian-archive-keyring and get it installed and working properly. A
signature.asc
Description: Digital signature
