Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]): > If you are after checking the package gnupg signatures and tracing > down to the binaries that you have installed to verify that you have > the correct things... well that isn't implemented yet.
Yes, it is. Each package's md5sum is in the Release file you retrieve when you do "apt-get update". There's a Release.gpg in the same directory containing the hash value of signing Release with the master package program's gpg key. Either Joey Hess or Wichert Ackerman (I forget which) posted a script to autocheck the key hash, or you could write your own. But this check would be far less meaningful than you might assume, for reasons including those I describe in http://linuxmafia.com/~rick/linux-info/debian-package-signing . > Hopefully next Debian release... see the following url for more > details. > > http://www.linuxsecurity.com/docs/harden-doc/html/securing-debian-howto/ch7.en.html Nope. That explanation is incomplete (possibly just outdated) in failing to mention the Release.gpg hash, which piece completes the scheme -- for what it's worth. I fear the spectre of Khendon's Law, so I won't cite the other reasons why the scheme is about as worthless as your average RPM whistle-in-the-dark counterpart. But you can find them at the cited URL. -- Cheers, "It ain't so much the things we don't know that get us Rick Moen in trouble. It's the things we know that ain't so." [EMAIL PROTECTED] -- Artemus Ward (1834-67), U.S. journalist _______________________________________________ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
