why there is no GPG key for community repository?

Those new to MEPIS or not very experienced can post their questions here.
Message
Author
MSOA
Forum Novice
Forum  Novice
Posts: 10
Joined: Sun Apr 08, 2012 10:14 am

why there is no GPG key for community repository?

#1 Postby MSOA » Sun Apr 08, 2012 11:00 am

when i want to install a package from the CR repository, I encounter with a warning that say "you are about to install software that can't be authenticated!". really there is no GPG key for this repository?

User avatar
timkb4cq
Forum Veteran
Forum Veteran
Posts: 3364
Joined: Wed Jul 12, 2006 4:05 pm

Re: why there is no GPG key for community repository?

#2 Postby timkb4cq » Sun Apr 08, 2012 11:38 am

That's right.

When the current CR was originally set up the decision (which I wasn't part of at the time) was made not to sign it. Given its structure there wasn't a way to sign it that actually made it more secure - although signing it would make it appear to be so. All the packages are signed by the packagers and that is checked when packages are added to the repos.

Since the mepis-deb.org servers are not where the packages are processed, and they're just serving static files with no active content it would be relatively hard to hack in and insert a malicious program + update all the Package files to make it available without breaking the repo. And it would disappear at the next update.

With what I know about the way repositories & signing work, I wouldn't trust the CR any more if it was signed.
Whether you choose to trust the Community Repositories is, of course, up to you.
MSI 970A-G43 MB, AMD FX-6300 (six core), 16GB RAM, GeForce 730, Samsung 850 EVO 250GB SSD, Seagate Barracuda XT 3TB

MSOA
Forum Novice
Forum  Novice
Posts: 10
Joined: Sun Apr 08, 2012 10:14 am

Re: why there is no GPG key for community repository?

#3 Postby MSOA » Sun Apr 08, 2012 11:50 pm

I think it is better, be mentioned in related wiki. however thanks for help.

User avatar
chatan
Forum Regular
Forum Regular
Posts: 798
Joined: Fri Oct 17, 2008 8:19 pm

Re: why there is no GPG key for community repository?

#4 Postby chatan » Mon Apr 09, 2012 4:06 am

MSOA wrote:I think it is better, be mentioned in related wiki. however thanks for help.


Good suggestion! I added it to wiki using Tim's explanation as basis:
http://www.mepis.org/docs/en/index.php? ... y#Packages

Cheers


Return to “Newbies”

Who is online

Users browsing this forum: No registered users and 1 guest