On Fri, Feb 22, 2008 at 15:39:10 -0800, alexandre suzuki wrote:
> 1)
> I installed apt-0.6.46.4 from backports.org because I wanted security
> checks of Release.gpg not only the check of the md5s. However my
> first run of it(see above) does not show any sign of the checks.When I
> did apt-get update I saw the download of the files Release.gpg Release
> Packages.gz.Do apt execute all those checks silently, when we
> effectively install the packages?
Yes, every package is checked. As long as you do not get any warnings it
means that the verification was successful. Furthermore, all untrusted
packages are marked with a "U" in aptitude's listings, which you can see
already before you even try to install such a package.
> 2)
> When I ran aptitude the first time with this new apt I received this
> warning: Apt errors warning: could not lock the cache file. Opening
> in read-only mode.
>
> What did that mean? Now I don´t receive it anymore and aptitude opens
> normally,I didn´t do anything special (as of my knowledge) to return
> to normal.
I don't know anything about this. Did you maybe have an older instance
of apt sill running when you tried the new version for the first time?
> 3)
> Now I have all my installed packages from the CDs in aptitude with the
> following warning:
>
> warning(in red): This version of the package is from an untrusted
> source: Installing this package could allow a malicious individual to
> damage or take control of your system.
>
> Is that normal? APT didn´t effectively do the check of the CDs,is it
> because of that?
As far as I remember, the CDs and DVDs do not have the Release.gpg
signatures, so they cannot be checked by this mechanism[*]. If you trust
your CDs, you can create a new file in /etc/apt/apt.conf.d/ containing
one line:
APT::Authentication::TrustCDROM "true";
You can choose any name for this file (as long as you avoid certain
special characters.) I would recommend something like
"50local-trustcdrom" to help you remember that you put this file there
yourself and why you did that.
[*] The mirrors from which you can download the CD and DVD images
usually offer a file with the md5 sums of the images and this file
is signed by a Debian developer. You should check the md5 sums in
any case to make sure that the download went OK, and you can verify
the developer's signature with his/her public key on the Debian
keyring.
--
Regards, | http://users.icfo.es/Florian.Kulzer
Florian |
