PDA

View Full Version : Ubuntu/Debian apt-get authorization



bogusfart
2007-09-02, 15:21
It appears that I'm not the only one who has attempted an apt-get install of SlimServer on Ubuntu recently and encountered a "problem" with authentication:

http://forums.slimdevices.com/showthread.php?t=36060&highlight=authenticated

I think maybe that the problem is not which method we're using to install (apt-get command line, synaptic, adept, etc.) but rather whether we have the proper security settings. I believe Ubuntu 7.04 (which I am using also) will only install packages without warning that can be authenticated with a PGP signature. Does anyone know if this is correct?

Given that the Wiki's instructions (http://wiki.slimdevices.com/?DebianPackage) mention nothing about a GPG signature, I'm inclined to believe none of the packages at http://debian.slimdevices.com are signed with SlimDevices/Logitech/whoever's PGP key.

Of course I could just answer "Yes" when prompted if I want to install the following unauthenticated packages, but I'd really rather be able to authenticate them.

libdata-vstring-perl
libdbix-migration-perl
libenum-perl
libfile-bom-perl
libmpeg-audio-frame-perl
libnet-upnp-perl
libreadonly-perl
libtie-cache-lru-expires-perl
libtie-cache-lru-perl
libtie-llhash-perl
libxml-simple-perl
libxml-xspf-perl
slimserver

Are there any plans to sign all these packages so that paranoid users (like myself) can be ensured that we're getting what we should be getting? Or do we simply need to "lighten-up" a bit and accept the fact that the packages are not signed? :-)

I apologize if this is the wrong way or place to post this inquiry, but I'm new to the forum.

On a side note -- however inappropriate -- it seems a bit unfair to me that only southern California residents and visitors can get a discount on the Squeezebox. If I had known about the BBQ earlier, I could have planned some time off of work and a trip to California. Of course all the trouble and travel costs would definitely offset the $50 savings... :-)

http://forums.slimdevices.com/announcement.php?f=&a=1

SuperQ
2007-09-02, 16:25
No, it doesn't look like Slimdevices is signing their releases. Until they setup the signature stuff, you'll just have to ignore the warning..

Some good docs here:

http://wiki.debian.org/SecureApt
http://help.ubuntu.com/community/SecureApt

snarlydwarf
2007-09-02, 23:52
Things coming from an autobuilder (be it Slim's or Debian's) don't really gain anything by being signed... corrupt the source and let the autobuilder pass on the bad code.

See, I can be more paranoid than you... and in that case, it means the signature can't be trusted.

bogusfart
2007-09-03, 12:57
Thank you both for the prompt replies.

As for who's more paranoid...you're right, snarlydwarf, you are more paranoid than me! :-)

But seriously, I wasn't talking about whether the code was "good" or "corrupt" (due to autobuilder or whatever) but rather whether the code was what SlimDevices (SD, et al.) meant to be distributed. In other words, that someone else had not intentionally posted malicious code without SD' knowledge or consent.

Either way it's paranoia.

I guess I just have to lighted up a bit and hope for the best!