By diligent lurking on this NG, I read of and tried the following
routines:

1. "debsums_gen -l" - which gave the following output (first two
lines):

Checking for packages without md5sums list
aalib1 akode alsaplayer at base-config base-files bc bin86 binutils

and

2."# aptitude search '~i! ~M'" - which started as follows:

i a2ps
i adduser
i afio
i alien
i alsa-base
i alsa-oss
i alsa-utils
i alsamixergui
i alsaplayer
i alsaplayer-alsa
i alsaplayer-common
i alsaplayer-gtk
i alsaplayer-oss
i antiword
i apt
i apt-utils
i apt-zip
i aptitude
i aptitude-doc-en
i aspell
i aspell-en
i at
i audacity

>From which I deduce that some packages lost their md5sums during my
upgrade from Sarge to Etch and some packages did not.

The fault is mine/my setup. My connection to the internet is slow;
hence I am reduced to using the DVDs for upgrades. Although I procured
the "official" Etch DVD set from a supplier listed by Debian, there were
numerous notifications during the "dist-upgrade" that I was installing
"untrusted packages". And, due to my slow internet connection, I refrained
from running the recommended "aptitude update" at the end of the
successful "dist-upgrade".

Is there an alternative to "aptitude update" or do I have to live with the
missing md5sums and "untrusted packages"?

Felix Karpfen



--
Felix Karpfen
Public Key 72FDF9DF (DH/DSA)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Mon, Sep 10, 2007 at 09:17:59PM +0000, Felix Karpfen wrote:
>
> The fault is mine/my setup. My connection to the internet is slow;
> hence I am reduced to using the DVDs for upgrades. Although I procured
> the "official" Etch DVD set from a supplier listed by Debian, there were
> numerous notifications during the "dist-upgrade" that I was installing
> "untrusted packages". And, due to my slow internet connection, I refrained
> from running the recommended "aptitude update" at the end of the
> successful "dist-upgrade".

these errors (untrusted packages) have to do with the new secure-apt
system which uses gpg keys to confirm the signatures on
packages. Install the debian-archive-keyring package and then update.

>
> Is there an alternative to "aptitude update" or do I have to live with the
> missing md5sums and "untrusted packages"?

there is not really any alternative to "aptitude update" unless you
consider some other apt front-end an alternative (apt-get, synaptic)
but they all do the same thing. The missing md5 sums has nothing to
do with the trusted/untrusted packages issue.

In theory, you have installed packages that may be compromised due to
the failure to check the signatures. In practice, this is probably not
a real issue. You could pull known-good debs from somewhere and
compare md5sums to confirm that your installation is good, but its
probably not worth the effort, unless you have some reason to be
concerned about compromise.

You definitely should make sure you read up on the
debian-archive-keyring and get it installed and working properly.

A

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG5ttZaIeIEqwil4YRAmstAKC330os3XgxIGjSbn22W1 SkYt5S9gCgxIf+
KueM4YzxFWLu9oskfmbzJCc=
=XohI
-----END PGP SIGNATURE-----

On Tue, 11 Sep 2007 11:15:53 -0700, Andrew Sackville-West wrote:

> On Mon, Sep 10, 2007 at 09:17:59PM +0000, Felix Karpfen wrote:
>>
>> The fault is mine/my setup. My connection to the internet is slow;
>> hence I am reduced to using the DVDs for upgrades. Although I procured
>> the "official" Etch DVD set from a supplier listed by Debian, there were
>> numerous notifications during the "dist-upgrade" that I was installing
>> "untrusted packages".
>
> these errors (untrusted packages) have to do with the new secure-apt
> system which uses gpg keys to confirm the signatures on
> packages. Install the debian-archive-keyring package and then update.
>

The package was installed by default during the upgrade to Etch. But
the documentation on how to use it is sparse. A new (December 2003!) apt
routine - apt-key - can now be invoked and offers the following options:

| Usage: apt-key [command] [arguments]
|
| Manage apt's list of trusted keys
|
| apt-key add <file> - add the key contained in <file> ('-' for stdin)
| apt-key del <keyid> - remove the key <keyid>
| apt-key update - update keys using the keyring package
| apt-key list - list keys


But How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
authenticate the individual installed packages.

I have no wish to re-invent the wheel - even if I knew how. A pointer to
documentation would . I have the gpg package installed and have used
it occasionally to sign my emails; but there must be a routine for using
the Etch Stable Release Key for checking 1000+ installed Debian
packages.

An afterthought:

Does "untrusted" have the meaning assigned in "gpg" - i.e. "the content
has not been altered, but the signer is unknown"?

If so, then I am worrying about nothing!!

>>
>> Is there an alternative to "aptitude update" or do I have to live with the
>> missing md5sums and "untrusted packages"?
>
> there is not really any alternative to "aptitude update"

If the update needs to be done while "online", it is probably a lost
cause.

Thank you for taking the time to point me in the right direction.

Felix Karpfen



--
Felix Karpfen
Public Key 72FDF9DF (DH/DSA)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Wed, Sep 12, 2007 at 09:25:39PM +0000, Felix Karpfen wrote:
> On Tue, 11 Sep 2007 11:15:53 -0700, Andrew Sackville-West wrote:
>
> > On Mon, Sep 10, 2007 at 09:17:59PM +0000, Felix Karpfen wrote:
> >>
> >> The fault is mine/my setup. My connection to the internet is slow;
> >> hence I am reduced to using the DVDs for upgrades. Although I procured
> >> the "official" Etch DVD set from a supplier listed by Debian, there were
> >> numerous notifications during the "dist-upgrade" that I was installing
> >> "untrusted packages".
> >
> > these errors (untrusted packages) have to do with the new secure-apt
> > system which uses gpg keys to confirm the signatures on
> > packages. Install the debian-archive-keyring package and then update.
> >
>
> The package was installed by default during the upgrade to Etch. But
> the documentation on how to use it is sparse. A new (December 2003!) apt
> routine - apt-key - can now be invoked and offers the following options:
>
> | Usage: apt-key [command] [arguments]
> |
> | Manage apt's list of trusted keys
> |
> | apt-key add <file> - add the key contained in <file> ('-' for stdin)
> | apt-key del <keyid> - remove the key <keyid>
> | apt-key update - update keys using the keyring package
> | apt-key list - list keys
>
>
> But How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
> authenticate the individual installed packages.

sorry, beyond me. on my system it just works.

...

>
> Does "untrusted" have the meaning assigned in "gpg" - i.e. "the content
> has not been altered, but the signer is unknown"?

I'm not sure.

>
> If so, then I am worrying about nothing!!

not if the package is a compromised package that's been signed by the
compromiser so that its signature is good but from an untrusted
source, but we're outside my understanding here.

>
> >>
> >> Is there an alternative to "aptitude update" or do I have to live withthe
> >> missing md5sums and "untrusted packages"?
> >
> > there is not really any alternative to "aptitude update"
>
> If the update needs to be done while "online", it is probably a lost
> cause.

a proper online update would probably do you a lot of good in regards
to the archive keys, but probably would get your repository out of
sync with your dvd's. If you are installing from known good media and
getting these errors, then I'd suggest that 1) you're probably okay
and 2) you need to talk to whoever supplied that media and make sure
they are up-to-date.

A

--
current song: The Killers - Everything Will Be Alright

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG6Y+YaIeIEqwil4YRAtqwAKCRkNw4mr1WRVuDsuZrAz Oo23/bywCgvZfG
kOXnyeDCRk2ayVXfIbbq3Bo=
=zafP
-----END PGP SIGNATURE-----

On Thu, 13 Sep 2007 12:29:28 -0700, Andrew Sackville-West wrote:

> On Wed, Sep 12, 2007 at 09:25:39PM +0000, Felix Karpfen wrote:

>> How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
>> authenticate the individual installed packages.
>
> sorry, beyond me. on my system it just works.
>
>>
>> Does "untrusted" have the meaning assigned in "gpg" - i.e. "the content
>> has not been altered, but the signer is unknown"?
>
> I'm not sure.
>
>>
>> If so, then I am worrying about nothing!!
>
> not if the package is a compromised package that's been signed by the
> compromiser so that its signature is good but from an untrusted
> source, but we're outside my understanding here.

Mine too.

But an out-of-sync repository sounds a much worse fate that the remote
possibility that packages on Etch DVDs (from a reputable supplier) were
tampered with and then gpg-signed by the tamperer.

Thank you for sharing your experience.

Felix
--
Felix Karpfen
Public Key 72FDF9DF (DH/DSA)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Thu, 13 Sep 2007 12:29:28 -0700, Andrew Sackville-West wrote:

> On Wed, Sep 12, 2007 at 09:25:39PM +0000, Felix Karpfen wrote:

>> How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
>> authenticate the individual installed packages.
>
> sorry, beyond me. on my system it just works.
>
>>
>> Does "untrusted" have the meaning assigned in "gpg" - i.e. "the content
>> has not been altered, but the signer is unknown"?
>
> I'm not sure.
>
>>
>> If so, then I am worrying about nothing!!
>
> not if the package is a compromised package that's been signed by the
> compromiser so that its signature is good but from an untrusted
> source, but we're outside my understanding here.

Mine too.

But an out-of-sync repository sounds a much worse fate that the remote
possibility that packages on Etch DVDs (from a reputable supplier) were
tampered with and then gpg-signed by the tamperer.

Thank you for sharing your experience.

Felix



--
Felix Karpfen
Public Key 72FDF9DF (DH/DSA)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Hi,

First, missing md5sum values reported by debsums are normal.

Second, signed key feature is nice security feature but it was a new
feature. During etch in testing period, I recall several problems which
errouneously made to report to be unsigned package.

On Wed, Sep 12, 2007 at 09:25:39PM +0000, Felix Karpfen wrote:
> On Tue, 11 Sep 2007 11:15:53 -0700, Andrew Sackville-West wrote:
>
> > On Mon, Sep 10, 2007 at 09:17:59PM +0000, Felix Karpfen wrote:
> >>
> >> The fault is mine/my setup. My connection to the internet is slow;
> >> hence I am reduced to using the DVDs for upgrades. Although I procured
> >> the "official" Etch DVD set from a supplier listed by Debian, there were
> >> numerous notifications during the "dist-upgrade" that I was installing
> >> "untrusted packages".

When was it? If this is upgrade from etch to lenny or sid on official
server, I will not worry too much.

> > these errors (untrusted packages) have to do with the new secure-apt
> > system which uses gpg keys to confirm the signatures on
> > packages. Install the debian-archive-keyring package and then update.
> >
>
> The package was installed by default during the upgrade to Etch. But
> the documentation on how to use it is sparse. A new (December 2003!) apt
> routine - apt-key - can now be invoked and offers the following options:
>
> | Usage: apt-key [command] [arguments]
> |
> | Manage apt's list of trusted keys
> |
> | apt-key add <file> - add the key contained in <file> ('-' for stdin)
> | apt-key del <keyid> - remove the key <keyid>
> | apt-key update - update keys using the keyring package
> | apt-key list - list keys
>
>
> But How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
> authenticate the individual installed packages.

Oh, dpkg automatically checks it for you when you use apt-get/aptitude
to install package. (Unless you disable it.)

> I have no wish to re-invent the wheel - even if I knew how. A pointer to
> documentation would . I have the gpg package installed and have used
> it occasionally to sign my emails; but there must be a routine for using
> the Etch Stable Release Key for checking 1000+ installed Debian
> packages.

For debsums, I just filed bug report which provide command to generate
missing md5sum values from files in the package.

http://bugs.debian.org/443530

This should let you chack system better.

But my advice is do not worry too much... it should be fine. These
days, keys works nicely and next upgrade of package will check these
new packages against the archive key.

> An afterthought:
>
> Does "untrusted" have the meaning assigned in "gpg" - i.e. "the content
> has not been altered, but the signer is unknown"?

The key is created by the Debian ftp mater. He placed it to the mater
archive machine. Then there is nice automation to sign those official
packages. Since secret key is unavailable by people except ftp-master,
the proper signiture can not be faked by others. (I do not have access
to the secret archive key.)

> If so, then I am worrying about nothing!!

> >> Is there an alternative to "aptitude update" or do I have to live with the
> >> missing md5sums and "untrusted packages"?
> >
> > there is not really any alternative to "aptitude update"
>
> If the update needs to be done while "online", it is probably a lost
> cause.

Well look for mail archive (debian-user or debian-devel) on archive key
issues. You are not alone.

> Thank you for taking the time to point me in the right direction.

Good luck.

Osamu


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sun, 23 Sep 2007 17:32:20 +0900, Osamu Aoki wrote:

(Edited)
>
> During etch in testing period, I recall several problems which
> errouneously made to report to be unsigned package.


Since gpg-signed packages is an "etch" innovation, it explains why I
had not encountered before the "warning" detailed below.

I am still unclear about the point in the installation process at which
the signature of the installed package is checked.

The short story at this end is:

a. I purchased a DVD set of Debian 4.0 from a Debian-listed supplier
and followed the Debian upgrade-instructions on all points except
the final "aptitude update" step; I assumed that this needed a live
Internet connection and my Internet connection is too slow (which
is why I waited for the release of the "Official DVD set before
attempting the upgrade from Sarge).

b. Etch works perfectly. But both during the dist-upgrade and whenever I
now use Synaptic to install a new package from my DVD set, I get a
"warning" that I am installing software that "can't be
authenticated". And that by doing this, a malicious individual could
take control or damage my system.

I have taken the view that the DVD-supplier would not remain in
business for very long if the products that he sold had been doctored
to permit the scenario described above.

But if there is an install-step that would validate the signature on the
installed package, I would be grateful to be pointed to it.

>> On Tue, 11 Sep 2007 11:15:53 -0700, Andrew Sackville-West wrote:
>>
>> > On Mon, Sep 10, 2007 at 09:17:59PM +0000, Felix Karpfen wrote:
>> >>
>> > these errors (untrusted packages) have to do with the new secure-apt
>> > system which uses gpg keys to confirm the signatures on
>> > packages. Install the debian-archive-keyring package and then update.
>> >
>> The package was installed by default during the upgrade to Etch. But
>> the documentation on how to use it is sparse. A new (December 2003!) apt
>> routine - apt-key - can now be invoked and offers the following options:
>>
>> | Usage: apt-key [command] [arguments]
>> |
>> | Manage apt's list of trusted keys
>> |
>> | apt-key add <file> - add the key contained in <file> ('-' for stdin)
>> | apt-key del <keyid> - remove the key <keyid>
>> | apt-key update - update keys using the keyring package
>> | apt-key list - list keys
>>
>>
>> But How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
>> authenticate the individual installed packages.
>
> Oh, dpkg automatically checks it for you when you use apt-get/aptitude
> to install package. (Unless you disable it.)

So is the answer to my question:

"use aptitude and not Synaptic" for installing packages?
>
>
> Well look for mail archive (debian-user or debian-devel) on archive key
> issues. You are not alone.

My next step!

Thank you for the very detailed reply.

Felix



--
Felix Karpfen
Public Key 72FDF9DF (DH/DSA)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Mon, Sep 24, 2007 at 05:37:51AM +0000, Felix Karpfen <felixk@webone.com.au> was heard to say:
> >> But How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
> >> authenticate the individual installed packages.
> >
> > Oh, dpkg automatically checks it for you when you use apt-get/aptitude
> > to install package. (Unless you disable it.)
>
> So is the answer to my question:
>
> "use aptitude and not Synaptic" for installing packages?

It shouldn't matter which frontend you use. All the major frontends
check the signature of the Release file when you download package lists
from the archive. The Release file contains a cryptographic checksum
for the Packages file, which contains checksums for each individual .deb
package.

dpkg performs no key checking, at least on packages in the Debian
archive. There was some experimental code to stick embedded signatures
into .deb files, but I don't know what it's status is and packages
containing signatures aren't allowed in the archive last I heard.

Daniel


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Daniel Burrows <dburrows@debian.org> writes:

> On Mon, Sep 24, 2007 at 05:37:51AM +0000, Felix Karpfen <felixk@webone.com.au> was heard to say:
> > >> But How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
> > >> authenticate the individual installed packages.
> > >
> > > Oh, dpkg automatically checks it for you when you use apt-get/aptitude
> > > to install package. (Unless you disable it.)
> >
> > So is the answer to my question:
> >
> > "use aptitude and not Synaptic" for installing packages?
>
> It shouldn't matter which frontend you use. All the major frontends
> check the signature of the Release file when you download package lists
> from the archive. The Release file contains a cryptographic checksum
> for the Packages file, which contains checksums for each individual .deb
> package.
>
> dpkg performs no key checking, at least on packages in the Debian
> archive. There was some experimental code to stick embedded signatures
> into .deb files, but I don't know what it's status is and packages
> containing signatures aren't allowed in the archive last I heard.

Is there some way to get the system to re-read the release file? I
installed the key after I upgradeed the system to etch, so all
packages on my DVDs show as being unverified. I have tried to get it
to clear that, but nothing I have tried has worked. I also noticed
recently that some packages show multiple entries in aptitude, so
possibly clearing the entries would clear that.

I am not the OP, but this looks like it relates to my problem.

--
Carl Johnson carlj@peak.org


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Tue, Oct 02, 2007 at 21:02:41 -0700, Carl Johnson wrote:
> Daniel Burrows writes:

[...]

> > It shouldn't matter which frontend you use. All the major frontends
> > check the signature of the Release file when you download package lists
> > from the archive. The Release file contains a cryptographic checksum
> > for the Packages file, which contains checksums for each individual .deb
> > package.
> >
> > dpkg performs no key checking, at least on packages in the Debian
> > archive. There was some experimental code to stick embedded signatures
> > into .deb files, but I don't know what it's status is and packages
> > containing signatures aren't allowed in the archive last I heard.
>
> Is there some way to get the system to re-read the release file? I
> installed the key after I upgradeed the system to etch, so all
> packages on my DVDs show as being unverified. I have tried to get it
> to clear that, but nothing I have tried has worked.

Did you try to remove all the DVD-related lines from your
/etc/apt/sources.list, run "aptitude update" and then add the DVD(s)
again using the "apt-cdrom" command? I think that should work but I have
not tested it.

If apt still complains about missing keys after that then you might have
to add one or more keys to apt's keyring. Aptitude will show the ID
of the missing key so you can download it and add it with "apt-key".

> I also noticed
> recently that some packages show multiple entries in aptitude, so
> possibly clearing the entries would clear that.

Do you mean multiple versions for the same package or the same package
name as two separate entries? (The former would be OK, the latter would
be cause for concern, I think.) Can you give an example with more
details?

--
Regards, | http://users.icfo.es/Florian.Kulzer
Florian |


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Tue, Oct 02, 2007 at 09:02:41PM -0700, Carl Johnson <carlj@peak.org> was heard to say:
> Daniel Burrows <dburrows@debian.org> writes:
> > dpkg performs no key checking, at least on packages in the Debian
> > archive. There was some experimental code to stick embedded signatures
> > into .deb files, but I don't know what it's status is and packages
> > containing signatures aren't allowed in the archive last I heard.
>
> Is there some way to get the system to re-read the release file? I
> installed the key after I upgradeed the system to etch, so all
> packages on my DVDs show as being unverified. I have tried to get it
> to clear that, but nothing I have tried has worked. I also noticed
> recently that some packages show multiple entries in aptitude, so
> possibly clearing the entries would clear that.

I believe that just updating your package lists should do the trick.

Daniel


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Daniel Burrows <dburrows@debian.org> writes:

> On Tue, Oct 02, 2007 at 09:02:41PM -0700, Carl Johnson <carlj@peak.org> was heard to say:
> > Daniel Burrows <dburrows@debian.org> writes:
> > > dpkg performs no key checking, at least on packages in the Debian
> > > archive. There was some experimental code to stick embedded signatures
> > > into .deb files, but I don't know what it's status is and packages
> > > containing signatures aren't allowed in the archive last I heard.
> >
> > Is there some way to get the system to re-read the release file? I
> > installed the key after I upgradeed the system to etch, so all
> > packages on my DVDs show as being unverified. I have tried to get it
> > to clear that, but nothing I have tried has worked. I also noticed
> > recently that some packages show multiple entries in aptitude, so
> > possibly clearing the entries would clear that.
>
> I believe that just updating your package lists should do the trick.

That didn't seem to change anything. I even commented out all lines
in the sources.list file before first doing an update. That showed no
uninstalled files available, so I then did another apt-cdrom and
update. That showed the available files, but I still got the
untrusted source warning. I do have the debian-archive-keyring that
apt depends on.

I just noticed that I still have multiple entries in aptitude for some
of the installed files listed under 'Packages which depend on apt'.
For example apt shows 'debtags 1.6.6' twice.
--
Carl Johnson carlj@peak.org


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Wed, 03 Oct 2007 21:55:17 +0200, Florian Kulzer wrote:

> On Tue, Oct 02, 2007 at 21:02:41 -0700, Carl Johnson wrote:

>> Is there some way to get the system to re-read the release file? I
>> installed the key after I upgradeed the system to etch, so all
>> packages on my DVDs show as being unverified. I have tried to get it
>> to clear that, but nothing I have tried has worked.
>
> Did you try to remove all the DVD-related lines from your
> /etc/apt/sources.list, **run "aptitude update"** and then add the DVD(s)
> again using the "apt-cdrom" command? I think that should work but I have
> not tested it.

I believe that the above-flagged problem is similar to the one that I
posted to this thread.

But either I have not understand the suggested solution or the
solution is nonviable with my setup.

The only entries on my "/etc/apt/sources.list" relate to my DVDs. The
reason is that my connection to the Internet is too slow for viable
online "dist upgrades"; and even if an online "aptitude update"
actually managed to go to completion, I would just end up with an
out-of-sync setup.

Is there any available strategy that applies to cases like mine?

Felix Karpfen



--
Felix Karpfen
Public Key 72FDF9DF (DH/DSA)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Florian Kulzer <florian.kulzer+debian@icfo.es> writes:

> On Tue, Oct 02, 2007 at 21:02:41 -0700, Carl Johnson wrote:
>
> Did you try to remove all the DVD-related lines from your
> /etc/apt/sources.list, run "aptitude update" and then add the DVD(s)
> again using the "apt-cdrom" command? I think that should work but I have
> not tested it.

I hadn't tried that originally, but I have since with no change.

> If apt still complains about missing keys after that then you might have
> to add one or more keys to apt's keyring. Aptitude will show the ID
> of the missing key so you can download it and add it with "apt-key".

I haven't seen any place where aptitude shows any of that
information. It just shows me a warning such as:

WARNING: This version of acpid is from an untrusted source!
Installing this package could allow a malicious
individual to damage or take control of your system.

I checked apt-key, and 'apt-key list' shows this:

/etc/apt/trusted.gpg
--------------------
pub 1024D/2D230C5F 2006-01-03 [expired: 2007-02-07]
uid Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>

pub 1024D/6070D3A1 2006-11-20 [expires: 2009-07-01]
uid Debian Archive Automatic Signing Key (4.0/etch) <ftpmaster@debian.org>

pub 1024D/ADB11277 2006-09-17
uid Etch Stable Release Key <debian-release@lists.debian.org>


> > I also noticed
> > recently that some packages show multiple entries in aptitude, so
> > possibly clearing the entries would clear that.
>
> Do you mean multiple versions for the same package or the same package
> name as two separate entries? (The former would be OK, the latter would
> be cause for concern, I think.) Can you give an example with more
> details?

I should have been more clear about that. I don't have different
versions since I just have packages from the Etch DVDs. It isn't in
the actual aptitude list, but instead in the individual package
entries. The list of packages that depend on the package sometimes
shows duplicate entries for packages that I already have. This may
just be an artifact of the way that aptitude tracks reverse
dependencies. An example is under apt, the list of 'packages which
depend on apt' includes:

i debtags 1.6.6
i debtags 1.6.6

My /etc/apt/sources.list has only the 3 original Debian 4.0 DVD's, and
all other entries have been commented out throughout this time.

Thanks for taking the time to look at this. This isn't a problem now,
but I am nervous about adding other packages from the net without some
verification that they are valid.

--
Carl Johnson carlj@peak.org


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

[ Felix, I hope this message also s with your problem. ]

On Thu, Oct 04, 2007 at 16:22:06 -0700, Carl Johnson wrote:
> Florian Kulzer writes:
> > On Tue, Oct 02, 2007 at 21:02:41 -0700, Carl Johnson wrote:
> >
> > Did you try to remove all the DVD-related lines from your
> > /etc/apt/sources.list, run "aptitude update" and then add the DVD(s)
> > again using the "apt-cdrom" command? I think that should work but I have
> > not tested it.
>
> I hadn't tried that originally, but I have since with no change.

[ snip: output of "apt-key list" ]

You have all the necessary keys for a normal Debian system. However, it
seems that the DVDs and CDs simply do not contain Release.gpg files, so
there are no signatures to check. (I looked at an old netinst CD and I
downloaded the first Etch_r1 amd64 CD; I could not find a Release.gpg
file on either one.)

What you can do now is to check the md5sums and the sha1sums of the
DVDs. If they match then you can be reasonably sure that all the
individual packages on these DVDs are OK.

First you need to download the files which list these checksums:

wget http://cdimage.debian.org/debian-cd/4.0_r1/i386/iso-dvd/MD5SUMS{,.sign}
wget http://cdimage.debian.org/debian-cd/4.0_r1/i386/iso-dvd/SHA1SUMS{,.sign}

Then you can verify the signatures on the two files:

gpg --verify MD5SUMS.sign
gpg --verify SHA1SUMS.sign

These two commands should download Steve McIntyre's public key (ID
88C7C1F7) from a keyserver and then check if the current content of
these files has indeed been signed by him. ("Good signature from ...")

Now you can test if your DVDs have the same MD5 and SHA1 checksums as
listed in MD5SUMS and SHA1SUMS. To calculate these checksums for your
DVDs, put one of them into the drive and run:

md5sum -b /dev/scd0
sha1sum -b /dev/scd0

You have to replace "/dev/scd0" with the correct device node of your DVD
reader; check where the dvd symlink is pointing ("ls -l /dev/dvd").
Calculating these sums for a whole DVD will take a while, even on a fast
computer. You can run all the above commands as you normal user;
however, you have to be a member of the "cdrom" group to read the raw
DVD device.

Once you are happy about your DVDs, you can do this (as root):

echo 'APT::Authentication::TrustCDROM "true";' > /etc/apt/apt.conf.d/99trust-cdrom

This tells apt(itude) to trust all "cdrom:" sources. (The DVDs have
cdrom: URIs in /etc/apt/sources.list, right?)

> > > I also noticed
> > > recently that some packages show multiple entries in aptitude, so
> > > possibly clearing the entries would clear that.
> >
> > Do you mean multiple versions for the same package or the same package
> > name as two separate entries? (The former would be OK, the latter would
> > be cause for concern, I think.) Can you give an example with more
> > details?
>
> I should have been more clear about that. I don't have different
> versions since I just have packages from the Etch DVDs. It isn't in
> the actual aptitude list, but instead in the individual package
> entries. The list of packages that depend on the package sometimes
> shows duplicate entries for packages that I already have. This may
> just be an artifact of the way that aptitude tracks reverse
> dependencies. An example is under apt, the list of 'packages which
> depend on apt' includes:
>
> i debtags 1.6.6
> i debtags 1.6.6

Hmm, can you post the output of "apt-cache policy debtags"?

> My /etc/apt/sources.list has only the 3 original Debian 4.0 DVD's, and
> all other entries have been commented out throughout this time.
>
> Thanks for taking the time to look at this. This isn't a problem now,
> but I am nervous about adding other packages from the net without some
> verification that they are valid.

Your system is already configured to check all the packages from the
net, but it is important that that we get rid of the "untrusted" message
for the DVD packages. (Otherwise you will get used to ignoring the
warning or, even worse, you will be tempted to turn it off globally.)

--
Regards, | http://users.icfo.es/Florian.Kulzer
Florian |


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Thu, Oct 04, 2007 at 04:22:06PM -0700, Carl Johnson <carlj@peak.org> was heard to say:
> I haven't seen any place where aptitude shows any of that
> information. It just shows me a warning such as:
>
> WARNING: This version of acpid is from an untrusted source!
> Installing this package could allow a malicious
> individual to damage or take control of your system.

Could you paste the full output of "apt-get update"?

Daniel


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Fri, 05 Oct 2007 18:40:44 +0200, Florian Kulzer wrote:

> [ Felix, I hope this message also s with your problem. ]

Thank you.

The posting gave a full explanation of my observations and a strategy
for dealing with the (probably non-existent) problem.

Felix



--
Felix Karpfen
Public Key 72FDF9DF (DH/DSA)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Florian Kulzer <florian.kulzer+debian@icfo.es> writes:

> [ Felix, I hope this message also s with your problem. ]
>
> On Thu, Oct 04, 2007 at 16:22:06 -0700, Carl Johnson wrote:
> > Florian Kulzer writes:
> > > On Tue, Oct 02, 2007 at 21:02:41 -0700, Carl Johnson wrote:
> > >
> > > Did you try to remove all the DVD-related lines from your
> > > /etc/apt/sources.list, run "aptitude update" and then add the DVD(s)
> > > again using the "apt-cdrom" command? I think that should work but I have
> > > not tested it.
> >
> > I hadn't tried that originally, but I have since with no change.
>
> [ snip: output of "apt-key list" ]
>
> You have all the necessary keys for a normal Debian system. However, it
> seems that the DVDs and CDs simply do not contain Release.gpg files, so
> there are no signatures to check. (I looked at an old netinst CD and I
> downloaded the first Etch_r1 amd64 CD; I could not find a Release.gpg
> file on either one.)
>
> What you can do now is to check the md5sums and the sha1sums of the
> DVDs. If they match then you can be reasonably sure that all the
> individual packages on these DVDs are OK.
>
> First you need to download the files which list these checksums:
>
> wget http://cdimage.debian.org/debian-cd/4.0_r1/i386/iso-dvd/MD5SUMS{,.sign}
> wget http://cdimage.debian.org/debian-cd/4.0_r1/i386/iso-dvd/SHA1SUMS{,.sign}

I didn't notice until after I downloaded them that they are i386, but
I have amd64, but it was easy enough to find the amd64 ones. Then I
noticed that they are 4.0_r1 and I just have the original 4.0. That
is where I struck out and was unable to find any other than r1.

> Then you can verify the signatures on the two files:
>
> gpg --verify MD5SUMS.sign
> gpg --verify SHA1SUMS.sign
>
> These two commands should download Steve McIntyre's public key (ID
> 88C7C1F7) from a keyserver and then check if the current content of
> these files has indeed been signed by him. ("Good signature from ...")

I then discovered that I had never bothered setting up gnupg, so it
couldn't find a keyserver. I looked for documentation without
success, so it appears I will have to get to the non-free archives to
get documentation for gnupg (and many others).

> Now you can test if your DVDs have the same MD5 and SHA1 checksums as
> listed in MD5SUMS and SHA1SUMS. To calculate these checksums for your
> DVDs, put one of them into the drive and run:
>
> md5sum -b /dev/scd0
> sha1sum -b /dev/scd0
>
> You have to replace "/dev/scd0" with the correct device node of your DVD
> reader; check where the dvd symlink is pointing ("ls -l /dev/dvd").
> Calculating these sums for a whole DVD will take a while, even on a fast
> computer. You can run all the above commands as you normal user;
> however, you have to be a member of the "cdrom" group to read the raw
> DVD device.

I ran checksums on the first DVD and found they didn't match, as I
expected by now.

> Once you are happy about your DVDs, you can do this (as root):
>
> echo 'APT::Authentication::TrustCDROM "true";' > /etc/apt/apt.conf.d/99trust-cdrom
>
> This tells apt(itude) to trust all "cdrom:" sources. (The DVDs have
> cdrom: URIs in /etc/apt/sources.list, right?)

I ended up doing this anyways, since they are official DVDs from a
vendor listed at debian.org. I was going to file a bug about the
Release.gpg not being present, until I suddenly realized that they
can't put them on the ISO image without changing the checksum.

> > > > I also noticed
> > > > recently that some packages show multiple entries in aptitude, so
> > > > possibly clearing the entries would clear that.
> > >
> > > Do you mean multiple versions for the same package or the same package
> > > name as two separate entries? (The former would be OK, the latter would
> > > be cause for concern, I think.) Can you give an example with more
> > > details?
> >
> > I should have been more clear about that. I don't have different
> > versions since I just have packages from the Etch DVDs. It isn't in
> > the actual aptitude list, but instead in the individual package
> > entries. The list of packages that depend on the package sometimes
> > shows duplicate entries for packages that I already have. This may
> > just be an artifact of the way that aptitude tracks reverse
> > dependencies. An example is under apt, the list of 'packages which
> > depend on apt' includes:
> >
> > i debtags 1.6.6
> > i debtags 1.6.6
>
> Hmm, can you post the output of "apt-cache policy debtags"?

Here it is, but debtags isn't the only one:

debtags:
Installed: 1.6.6
Candidate: 1.6.6
Version table:
*** 1.6.6 0
500 cdrom://[Debian GNU/Linux 4.0 r0 _Etch_ - Official amd64 DVD Binary-1 20070407-12:15] etch/main Packages
100 /var/lib/dpkg/status

> > My /etc/apt/sources.list has only the 3 original Debian 4.0 DVD's, and
> > all other entries have been commented out throughout this time.
> >
> > Thanks for taking the time to look at this. This isn't a problem now,
> > but I am nervous about adding other packages from the net without some
> > verification that they are valid.
>
> Your system is already configured to check all the packages from the
> net, but it is important that that we get rid of the "untrusted" message
> for the DVD packages. (Otherwise you will get used to ignoring the
> warning or, even worse, you will be tempted to turn it off globally.)

Thanks for your , but I finally decided to take your earlier
advice already and just mark the DVDs as trusted. At least I feel
better now that I know why it wouldn't trust the DVDs.

--
Carl Johnson carlj@peak.org


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Daniel Burrows <dburrows@debian.org> writes:

> On Thu, Oct 04, 2007 at 04:22:06PM -0700, Carl Johnson <carlj@peak.org> was heard to say:
> > I haven't seen any place where aptitude shows any of that
> > information. It just shows me a warning such as:
> >
> > WARNING: This version of acpid is from an untrusted source!
> > Installing this package could allow a malicious
> > individual to damage or take control of your system.
>
> Could you paste the full output of "apt-get update"?

Here is the output:

Ign cdrom://[Debian GNU/Linux 4.0 r0 _Etch_ - Official amd64 DVD Binary-3 20070407-12:15] etch Release.gpg
Ign cdrom://[Debian GNU/Linux 4.0 r0 _Etch_ - Official amd64 DVD Binary-2 20070407-12:15] etch Release.gpg
Ign cdrom://[Debian GNU/Linux 4.0 r0 _Etch_ - Official amd64 DVD Binary-1 20070407-12:15] etch Release.gpg
Ign cdrom://[Debian GNU/Linux 4.0 r0 _Etch_ - Official amd64 DVD Binary-3 20070407-12:15] etch Release
Ign cdrom://[Debian GNU/Linux 4.0 r0 _Etch_ - Official amd64 DVD Binary-2 20070407-12:15] etch Release
Ign cdrom://[Debian GNU/Linux 4.0 r0 _Etch_ - Official amd64 DVD Binary-1 20070407-12:15] etch Release
Ign cdrom://[Debian GNU/Linux 4.0 r0 _Etch_ - Official amd64 DVD Binary-3 20070407-12:15] etch/contrib Packages/DiffIndex
Ign cdrom://[Debian GNU/Linux 4.0 r0 _Etch_ - Official amd64 DVD Binary-3 20070407-12:15] etch/main Packages/DiffIndex
Ign cdrom://[Debian GNU/Linux 4.0 r0 _Etch_ - Official amd64 DVD Binary-2 20070407-12:15] etch/contrib Packages/DiffIndex
Ign cdrom://[Debian GNU/Linux 4.0 r0 _Etch_ - Official amd64 DVD Binary-2 20070407-12:15] etch/main Packages/DiffIndex
Ign cdrom://[Debian GNU/Linux 4.0 r0 _Etch_ - Official amd64 DVD Binary-1 20070407-12:15] etch/contrib Packages/DiffIndex
Ign cdrom://[Debian GNU/Linux 4.0 r0 _Etch_ - Official amd64 DVD Bi