Where to get key A714EB87D1B1F415?
Michel D'HOOGE
list.dhooge at gmail.com
Thu Dec 7 06:19:46 UTC 2006
On Wednesday 06 December 2006 16:30, D. R. Evans wrote:
> I am fairly paranoid about not installing unsigned packages
Thanks for saying that because IMHO it seems to be a common behaviour that I
think quite odd & risky! I explain:
Indeed, why do you believe you are safer once you downloaded the public key of
someone you don't know? As long as there is no "GPG trust path" between you
and the guy providing the packages, nothing has changed. Well in fact
AFAIK something has changed, and not to the good side. If the guy (or someone
who got into his system) now decides to provide a trojan version of an
essential package (say, libc), you will install it without noticing anything.
So unless I can find a way to know the origin of the packets, I'd rather stay
with unsigned repositories except for canonical ones. One can also argue that
I can't trust them either but this is a level of risk I accept to live
with ;-)
Maybe it's already available but I haven't found it so far - I use aptitude.
What I'd like is at least 3 levels that I could assign to the repositories.
It would be even better if I could have several disconnected groups (one for
Canonical, one for multimedia stuff, ...). Or maybe simply to display the
repository from which a package is downloaded.
Cheers
--
Michel
More information about the kubuntu-users
mailing list