Re: [SLUG] Further to the deadly authentication.
On Thu, May 22, 2008, Martin Visser wrote: > My guess is that the mirror process works alphabettically through the > tree, hence .../ubuntu/dists/ /main/ /Packages.* gets > mirrored before .../ubuntu/pool/main/ /*.deb does. Hence there is > a pretty good chance you will be trying to update packages that aren't > available yet. Ubuntu advises mirrors to sync twice: first the packages and then second the package listing: http://www.ubuntu.com/getubuntu/mirror/3 -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Further to the deadly authentication.
Yes, I have always thought that there is something broken in the mirror process. My guess is that the mirror process works alphabettically through the tree, hence .../ubuntu/dists//main//Packages.* gets mirrored before .../ubuntu/pool/main//*.deb does. Hence there is a pretty good chance you will be trying to update packages that aren't available yet. Maybe I have that wrong (LazyWeb please illuminate) but I still wonder why it sometime Just Doesn't Work (TM) ;-) Martin On Sun, May 18, 2008 at 8:51 AM, Amos Shapira <[EMAIL PROTECTED]> wrote: > On Sun, May 18, 2008 at 8:26 AM, Erik de Castro Lopo > <[EMAIL PROTECTED]> wrote: >>> >LANG= >>> >sudo apt-get update >>> >>> Well, I did, although I like to know what I'm doing. The sudo etc I >>> understand, but what's LANG= please? >> >> Did this then allow you to install the software without having to >> install software that was un-authenticated? If so, then the update >> grabbed the the digital signatures. > > I sometimes (not many, two or three times in a last year, most of them > relatively recently) find unsigned packages in aptitude. I suspect > that it happens when I "apt-get update" while the mirror is being > updated. > > I suppose that as long as you don't mess around with untrusted > sources, and make sure that the "U" is removed when you actually > install the package, then you are pretty safe. > -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Further to the deadly authentication.
On Sun, 2008-05-18 at 08:26 +1000, Erik de Castro Lopo wrote: > > Well, I did, although I like to know what I'm doing. The sudo etc I > > understand, but what's LANG= please? > > Did this then allow you to install the software without having to > install software that was un-authenticated? If so, then the update > grabbed the the digital signatures. > > The 'LANG=' clears the LANG environment variable. For some reason > this helps but I've never seen this myself. > > HTH, > Erik Clearing LANG seems to prevent all the errors caused by aptitude looking for localised package sources. This may be the "right way" to do things, or maybe the error messages are spurious and I should eat my laptop. Can any .deb gods comment? -- Thanks, Sonia Hamilton http://soniahamilton.wordpress.com http://www.linkedin.com/in/soniahamilton -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Further to the deadly authentication.
On Sun, May 18, 2008 at 8:26 AM, Erik de Castro Lopo <[EMAIL PROTECTED]> wrote: >> >LANG= >> >sudo apt-get update >> >> Well, I did, although I like to know what I'm doing. The sudo etc I >> understand, but what's LANG= please? > > Did this then allow you to install the software without having to > install software that was un-authenticated? If so, then the update > grabbed the the digital signatures. I sometimes (not many, two or three times in a last year, most of them relatively recently) find unsigned packages in aptitude. I suspect that it happens when I "apt-get update" while the mirror is being updated. I suppose that as long as you don't mess around with untrusted sources, and make sure that the "U" is removed when you actually install the package, then you are pretty safe. --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Further to the deadly authentication.
[EMAIL PROTECTED] wrote: > Well, I'm happy to follow advice in this matter. Even so, I'm still > curious about unauthenticated software. What's the rationale in producing > it? The warning you saw can happen in two situations: - The software was signed, but you don't have the part of the key used to validate the signature. - The software was not signed (this can happen when you add un-offocial deb source to your /etc/apt/sources.list file) In your case, my guess is that the software was crypto-signed but that your system didn't have a record of the digital signatures and hence couldn't authenicate them. More below .. > >LANG= > >sudo apt-get update > > Well, I did, although I like to know what I'm doing. The sudo etc I > understand, but what's LANG= please? Did this then allow you to install the software without having to install software that was un-authenticated? If so, then the update grabbed the the digital signatures. The 'LANG=' clears the LANG environment variable. For some reason this helps but I've never seen this myself. HTH, Erik -- - Erik de Castro Lopo - Rule 1: Spammers lie. Rule 2: If a spammer seems to be telling the truth, see Rule #1. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Further to the deadly authentication.
Erik de Castro Lopo wrote: > Installation of authenticated binaries is a good idea. Its a > way of ensuring that you are installing the binary that your > distribution intended you to install. It reduces the likelihood > of you and others installing compromised software. Well, I'm happy to follow advice in this matter. Even so, I'm still curious about unauthenticated software. What's the rationale in producing it? > It should also be noted that the first time Linux suffers a > widespread infection of malware will be the most damaging > in terms of the reputation of Linux. That will be the time > that the microsofties will be able to say "look, Linux is > just as bad". They probably will, but I don't think it will be catastrophic. I remember when a virus was finally produced for Apple machines. The microsofties reacted as you said, but Apple's reply was "It took you ages to produce a virus that worked and, in any event, we were on to it like a shot." Linux has more than its fair share of geeks and I'm always astonished at their ingenuity. >LANG= >sudo apt-get update Well, I did, although I like to know what I'm doing. The sudo etc I understand, but what's LANG= please? Regards, Bill Bennett. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
