Package: aptitude Version: 0.4.4-4+b1 Severity: wishlist Hi.
Aptitude already verifies wheter packages are signed by an key known to apt when updating, installing, etc. packages. But there's at least one part in aptitude that doesn't to so. When using aptitude download. I think it would be better to check for valid signatures in this case, too. If there's no signature or it is invalid or something like this, the downloaded files should be deleted or perhaps renamed to <old-name>.unverified-deb. Another option could allow to disable signature verification, e.g. aptitude download --no-verify package. Best wishes, Chris. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.21-2-686 (SMP w/2 CPU cores) Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages aptitude depends on: ii apt [libapt-pkg-libc6.5 0.7.3 Advanced front-end for dpkg ii libc6 2.5-11 GNU C Library: Shared libraries ii libgcc1 1:4.2-20070627-1 GCC support library ii libncursesw5 5.6-3 Shared libraries for terminal hand ii libsigc++-2.0-0c2a 2.0.17-2 type-safe Signal Framework for C++ ii libstdc++6 4.2-20070627-1 The GNU Standard C++ Library v3 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]