gwdg.de contains unsigned rpms: risk of apt repository compromise?

Posted Mar 18, 2004 9:27 UTC (Thu) by hensema (guest, #980)
Parent article: gwdg.de contains unsigned rpms: risk of apt repository compromise?

The author has -- as most of us -- automatically upgraded to a version of apt which automatically checks signatures. Previous versions did not.

There is no change in the SuSE rpms in the repository: some are signed, some are not. This has always been the case.

Of course it would be preferable if all rpms were signed. I think all original SuSE rpms are signed, so if you limit yourself to base and security, you should be fine.

If you want to install unsigned packages with apt (as you've always done!), you can disable the signature check by editing /etc/apt/apt.conf.d/gpg-checker.conf