On Fri, Dec 03, 2004 at 08:42:18PM -0500, Daniel Burrows wrote: > Hi, Hi,
> I'm poking around at the new security stuff in apt 0.6, and I have > a quick question: What exactly is the purpose of the IndexFile > class, and how does it behave? The metaIndex will always try to download a Release.gpg along with the Release file. That is passed to the to the gpgv method to verify the signature of the Release file (against the trusted keys in /etc/apt/trusted.gpg). If that is successful the source is "trusted". If not, the Release.gpg file is removed from the apt lists directory and the source is not trusted. > For instance, pkgAcqArchive::IsTrusted appears to assume that some > index file will always be available for a given Version. Is that > true? I mention this method because if no index file is found, it > returns "true", so a complete lack of index files -- meaning nothing > to check for trustedness -- results in the routine reporting that > the item is trusted. If it was possible that no index files would > be available, I would expect this to return "false", unless I > completely misunderstand what's going on. The latest version does no longer contains that lines. It now starts with Trusted=false and if it finds a trusted source, it will switch to "package is trusted" mode. That means it will only download it from a trusted source (for cases like when the package is available from various sources). The code is available in Matt's arch archive [1] at http://people.debian.org/~mdz/arch. You need tla or baz (http://bazaar.canonical.com/). The archive name is [EMAIL PROTECTED]/apt--authentication--0. thanks, Michael [1] http://lists.debian.org/deity/2004/09/msg00057.html -- The first rule of holes is: when you find yourself in one, stop digging. - PJ Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo
