Hello, On Fri, 20 Mar 2009, Bhargav Prasanna wrote: > I added the required repos to my repo list. > an apt-get easycam2-gtk tells me that the package is not authenticated. > Is anyone out there using this piece of software? > Is it safe for me to download this?
The reason why distributions setup signed package repositories is that in the big-bad internet there are people who will try to inject buggy packages "just for fun" and sometimes for money! This risk is potentially as great as that of viruses in Windows. Let me say that again --- as that of viruses in Windows. In addition to what is written below you may want to read what Wouter Verhelst has to say: http://www.grep.be/blog/en/computer/debian/apt-gpg So how does one go about verifying packages that are not "known" repositories: 1. Setup a basic Web of Trust. Get together with a collection of friends and generate individual keys and sign each other's keys. 2. Whenever you verify that a certain package source is dependable, (this means you should either know and trust the author not to inject malicious code or have looked at the source to check it) sign that repository gpg key. 3. When adding a new repository get the repository key and check it's signatures and validity values. If the validity value is already 1 then you can use the repo. If not see if there are signatures there that you know and trust. In the second case you can probably use the repo with some care. Note that (1) and (2) are essentially the only way that (3) will work in the long run. Regards, Kapil. -- _______________________________________________ To unsubscribe, email [email protected] with "unsubscribe <password> <address>" in the subject or body of the message. http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
