So far for the theory. In practice, I'm not sure whether the mechanism for checking these signatures is easilly installable. As such, it is likely that many, if not most, Debian installations do not, in fact, verify signatures against the debian-keyring.
I was wondering about this once - it seems pretty amazing to me that such a "hackers distro" won't implement PGP signature checking on packages as part of the installation process - doesn't even RH do that in up2date and its ilks?
It sounds from they way you put things that it's far from trivial - but is it possible at all to integrate PGP signature checking with the apt install process?
Cheers,
--Amos
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
