MEPIS Community Forum

A Linux operating system based on Debian Stable
View unanswered posts | View unsolved topics | View active topics |



Reply to topic  [ 4 posts ] 
why there is no GPG key for community repository? 
Author Message
Forum Novice
Forum  Novice

Joined: Sun Apr 08, 2012 10:14 am
Posts: 10
Has thanked: 4 times
Have thanks: 2 times
Post # 298397
Post why there is no GPG key for community repository?
when i want to install a package from the CR repository, I encounter with a warning that say "you are about to install software that can't be authenticated!". really there is no GPG key for this repository?


Sun Apr 08, 2012 11:00 am

MSOA thanked by: JBoman
Profile
Forum Guide
Forum Guide
User avatar

Joined: Wed Jul 12, 2006 4:05 pm
Posts: 2809
Location: Pinellas Park, FL
Has thanked: 104 times
Have thanks: 1760 times
Post # 298399
Post Re: why there is no GPG key for community repository?
That's right.

When the current CR was originally set up the decision (which I wasn't part of at the time) was made not to sign it. Given its structure there wasn't a way to sign it that actually made it more secure - although signing it would make it appear to be so. All the packages are signed by the packagers and that is checked when packages are added to the repos.

Since the mepis-deb.org servers are not where the packages are processed, and they're just serving static files with no active content it would be relatively hard to hack in and insert a malicious program + update all the Package files to make it available without breaking the repo. And it would disappear at the next update.

With what I know about the way repositories & signing work, I wouldn't trust the CR any more if it was signed.
Whether you choose to trust the Community Repositories is, of course, up to you.

_________________
XFX Nforce 750 (built in GeForce 8300), Athlon X2 5000
Lenovo G550 , Intel T4400 , Intel Mobile 4 graphics


Sun Apr 08, 2012 11:38 am

timkb4cq thanked by: MSOA
Profile
Forum Novice
Forum  Novice

Joined: Sun Apr 08, 2012 10:14 am
Posts: 10
Has thanked: 4 times
Have thanks: 2 times
Post # 298440
Post Re: why there is no GPG key for community repository?
I think it is better, be mentioned in related wiki. however thanks for help.


Sun Apr 08, 2012 11:50 pm
Profile
Forum Regular
Forum Regular
User avatar

Joined: Fri Oct 17, 2008 8:19 pm
Posts: 798
Location: Okinawa, Japan
Has thanked: 100 times
Have thanks: 142 times
Post # 298444
Post Re: why there is no GPG key for community repository?  [Solved]
MSOA wrote:
I think it is better, be mentioned in related wiki. however thanks for help.


Good suggestion! I added it to wiki using Tim's explanation as basis:
http://www.mepis.org/docs/en/index.php? ... y#Packages

Cheers


Mon Apr 09, 2012 4:06 am

chatan thanked by: janthree, lucky9, MSOA
Profile
Display posts from previous:  Sort by  
Reply to topic   [ 4 posts ] 

Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by STSoftware for PTF.