On Mon, Apr 02, 2012 at 11:45:12AM +0100, Klaus Ethgen wrote: > Am Mo den 2. Apr 2012 um 10:58 schrieb Alessandro Ghedini: > > tags 666885 moreinfo > > kthxbye > > > > On Mon, Apr 02, 2012 at 08:04:06AM +0100, Klaus Ethgen wrote: > > > Package: libcurl3-gnutls > > > Version: 7.21.0-2.1+squeeze2 > > > Severity: serious > > > Tags: squeeze > > > > > > The curent security update has a nontrusted signature. So there is no > > > evidence that this package is safe. > > > > What do you mean with "untrusted signature"? Did you refer to the key that > > was > > used to upload the package? > > Seems to be... > > ~> apt-get dist-upgrade > Reading package lists... Done > Building dependency tree > Reading state information... Done > Calculating upgrade... Done > The following packages will be upgraded: > curl (7.21.0-2.1+squeeze1 => 7.21.0-2.1+squeeze2) > libcurl3 (7.21.0-2.1+squeeze1 => 7.21.0-2.1+squeeze2) > libcurl3-gnutls (7.21.0-2.1+squeeze1 => 7.21.0-2.1+squeeze2) > 3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. > Need to get 780 kB of archives. > After this operation, 12.3 kB disk space will be freed. > Do you want to continue [Y/n]? > WARNING: The following packages cannot be authenticated! > libcurl3 curl libcurl3-gnutls > Install these packages without verification [y/N]?
I cannot reproduce this. On a just-updated squeeze clean chroot (6.0.4):
root@PC-Ale:/# apt-get install libcurl3-gnutls
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
libcurl3-gnutls
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 266 kB of archives.
After this operation, 532 kB of additional disk space will be used.
Get:1 http://security.debian.org/ squeeze/updates/main libcurl3-gnutls amd64
7.21.0-2.1+squeeze2 [266 kB]
Fetched 266 kB in 0s (552 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously deselected package libcurl3-gnutls.
(Reading database ... 12952 files and directories currently installed.)
Unpacking libcurl3-gnutls (from
.../libcurl3-gnutls_7.21.0-2.1+squeeze2_amd64.deb) ...
Setting up libcurl3-gnutls (7.21.0-2.1+squeeze2) ...
Same for curl and libcurl3.
Does this happen only with curl packages? When was the last time you did an
apt upgrade (except this one, of course)?
Cheers
--
perl -E'$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
signature.asc
Description: Digital signature
