Hello,
Running ">wget http://security.debian.org/dists/etch/updates/Release";
and ">wget http://security.debian.org/dists/etch/updates/Release.gpg";
three times and comparing:
>diff Release.128.31.0.36 Release.212.211.132.250
5c5
< Date: Thu, 16 Aug 2007 16:48:11 UTC
---
> Date: Thu, 16 Aug 2007 16:52:12 UTC
>diff Release.gpg.128.31.0.36 Release.gpg.212.211.132.250
4,6c4,6
< iD8DBQBGxH/Npw2vU2Bw06ERAuBAAJ9HiFYbH9TmmJmqVyUd3uIyqwZw2gCdGtbk
< N7f+wxQik4Ns6naNNXlli7A=
< =bv2/
---
> iD8DBQBGxIC+pw2vU2Bw06ERAngYAJwOO09LQYe4qTeOniRIPK9rcoL1pgCgn8vw
> eRz35KUteZYd1/W7e1PTo6s=
> =Osbw
Since I have no control over which "mirror" security.debian.org resolves
to, Release and Release.gpg may come from different machines. At least
when running through apt-cacher, this leads to frequent BADSIG warnings,
which tends to undermine the credibility of signature checking in apt.
Is there a strong reason why the files are allowed to be different?
Thanks
Arne
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
