Hello Paul, Thank you for your kind response to my inquiry.
My comments in-line below: On Wed, 31 Aug 2016 14:48:36 +0100, Darac Marjal <mailingl...@darac.org.uk> wrote: >On Tue, Aug 30, 2016 at 12:58:47PM -0700, Larry Dighera wrote: >> >>This page <https://www.debian.org/releases/stable/errata> states: >> >> "If you use APT, add the following line to /etc/apt/sources.list to be >> able >> to access the latest security updates: >> >> deb http://security.debian.org/ jessie/updates main contrib non-free >> >> After that, run apt-get update followed by apt-get upgrade." >> >>Adding that entry to /etc/apt/sources.list on the Raspberry Pi3 running Debian >>Jessie results in an error message indicating that the public key is not >>found. >>It also finds two libraries that require updating that are not found when the >>above mentioned /etc/apt/sources.list entry is removed. > >As other people are discussing how to avoid the problems, let me have a >go at answering your questions directly. > >> >> 1. What do I need to do to prevent the error message? > >Check that "debian-archive-keyring" is installed. > # apt-get -s install debian-archive-keyring Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting 'raspbian-archive-keyring' instead of 'debian-archive-keyring' raspbian-archive-keyring is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Hmmm... I didn't expect that. Now I am confused. I don't recall where I got the notion that I was running Debian Jessie as opposed to Raspbian Jessie. I suppose it was from this link: <https://www.raspberrypi.org/blog/raspbian-jessie-is-here/> where it is stated: "Raspbian has now been updated to the new stable version of Debian, which is called Jessie." I guess I failed to make the distinction between Raspbian Jessie and Debian Jessie. Me culpa. > >If that is showing as untrusted as well, then read >https://ftp-master.debian.org/keys.html. >Note the warning at the top, though: "Please note that the details here >are for information only, you should not rely on them and use other ways >to verify them." > I don't know if it's "showing as un-trusted," but I'm beginning to suspect my confusion between Raspbian Jessie and Debian Jessie is the source of the issue I experienced. Here is the output from os-release and uname: # cat ../usr/lib/os-release PRETTY_NAME="Raspbian GNU/Linux 8 (jessie)" NAME="Raspbian GNU/Linux" VERSION_ID="8" VERSION="8 (jessie)" ID=raspbian ID_LIKE=debian HOME_URL="http://www.raspbian.org/"; SUPPORT_URL="http://www.raspbian.org/RaspbianForums"; BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"; # uname -a Linux raspberrypi3 4.4.13-v7+ #894 SMP Mon Jun 13 13:13:27 BST 2016 armv7l GNU/Linux I guess that puts a stake in the heart of this apparent non-issue. > >> >> 2. As there are other security related URLs (doubtless, as >> distributed/released) that are checked during apt-get update, is the >> recommended additional entry advisable/useful for this platform? > >If you're running Debian, then that line should provide all the security >updates you require. If you've added other repositories, though (PPAs, >for example, or if you're using a debian-derived distribution such as >Ubuntu, Mint, Devuan etc), then you should consult THOSE projects >individually to see if they provide security updates (they may simply >provide a rolling "bleeding edge" update model instead). > Apparently Raspbian Jessie is "a debian-derived distribution," and not Debian Jessie as I erroneously believed until your assistance enlightened me. I'll have to presume the default Raspbian Jessie apt sources repositories provide the intended security robustness, despite the possible security issues in libldap-2.4-2 and linux-libc-dev packages that came to light when I ran apt-get update with the "deb http://security.debian.org/ jessie/updates main contrib non-free" entry in my /etc/apt/sources.list. As you suggested, I'll take this discussion to raspbian.org, and see if they can shed some light on the possible security issues in the libldap-2.4-2 and linux-libc-dev packages. I am grateful your thoughtful and sagacious support, and the education I received as a result. It's always good to grok truth. :-) Best regards, Larry
