On Mon, 2 Mar 2009 14:40:54 -0600 "Boyd Stephen Smith Jr." <[email protected]> wrote:
> On Monday 02 March 2009 12:05:20 [email protected] wrote: > > I am using a repository that doesn't sign its package. I know and > > trust it. > > That's not exactly what the signatures are about. They are mainly about > preventing MitM attacks, whether from mirror administrators or someone > attacking your internet connection directly. > > > Each time I install, I get the aptitude warning, which is > > fine with me. But I wish aptitude would tell me which repository the > > package was coming from, so I could be absolutely sure it was what I > > expect. > > The best it could tell you is the URL it tried to retrieve the Release file > from. That's no guarantee the Release file wasn't modified on the way to > your system or my a mirror administrator. Or that the URL isn't being misdirected to a malicious server, perhaps through DNS poisoning. Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
