Ralf Mardorf: > On Wed, 2013-08-21 at 13:38 +0200, Jochen Spieker wrote: >> Essentially, you have a chicken and egg problem. > > Wrong!
No. Your advice is dangerous. > Keys usually are available by a keyserver you could trust, No. Just because a keyserver happens to serve some key that does not mean the key is valid. I can upload a key for presid...@whitehouse.gov anytime I want. (And apparently, 25 other people already had that bright idea.) The best way to overcome this situation is to have a PGP key of your own which is tightly integrated into the Web of Trust. You can use that to find a chain between your key and the repository's key. Here is the chain from my (old) key to Christian Marillat's, which makes me fairly certain that his key is valid: http://webware.lysator.liu.se/jc/wotsap/wots/latest/paths/0xD58ADB39-0x1F41B907.png Lacking such a key, you can still try to find references to the key used to sign the repository on the web: <https://www.google.de/search?q="1D7F+C53F+80F8+52C1+88F4++ED0B+07DC+563D+1F41+B907";> This is not cryptographically safe, but still better than blindly accepting the keys from a keyring package. See also here: <https://wiki.debian.org/SecureApt#How_to_tell_if_the_key_is_safe> I already wrote that some time ago somewhere else: if you add a key to apt's keyring, you are essentially giving the owner of that key root access to your system. You cannot even limit a key in apt's keyring to a specific repository or to specific packages. Imagine this: You have deb-multimedia.org in your sources.list and have the corresponding key in your keyring. If Christian Marillat decides to upload a malicious openssh-server:999:6.0p1-4 to his repository, apt-get and aptitude will install it on your system without warning. If apt already downloaded the package for you with its cron job, you won't even notice that the package does not come from Debian proper. J. -- When standing at the top of beachy head I find the rocks below very attractive. [Agree] [Disagree] <http://www.slowlydownward.com/NODATA/data_enter2.html>
signature.asc
Description: Digital signature
