On Jan 2, 2011, at 5:33 PM, Matthew wrote:
I did post this before in November but got no responses. Hopefully
this wasn't because the question was so dumb.
Not at all. If by "using the sources.list file" you mean using Apt,
Aptitude, or Synaptic, then yes, verification is done automatically.
You can read more about the process here:
http://wiki.debian.org/SecureApt
~Justin Aplin
-------------
My /etc/apt/sources.list contains:
deb http://deb.torproject.org/torproject.org lucid main
In the "authentication" section of my "software sources" I have a
deb.torproject.org archive signing key dated 2009-09-04 with a value
886DDD89.
I was looking at the page which explains how to verify signatures
for downloads: https://www.torproject.org/docs/verifying-signatures.html.en
If one is not directly downloading but using the sources.list file
is the "authentication" section adequate to verify the validity of
the downloads?
Thanks
