Where to get key A714EB87D1B1F415?

Michel D'HOOGE list.dhooge at gmail.com
Thu Dec 7 06:19:46 GMT 2006

On Wednesday 06 December 2006 16:30, D. R. Evans wrote:
> I am fairly paranoid about not installing unsigned packages 
Thanks for saying that because IMHO it seems to be a common behaviour that I 
think quite odd & risky! I explain:

Indeed, why do you believe you are safer once you downloaded the public key of 
someone you don't know? As long as there is no "GPG trust path" between you 
and the guy providing the packages, nothing has changed. Well in fact 
AFAIK something has changed, and not to the good side. If the guy (or someone 
who got into his system) now decides to provide a trojan version of an 
essential package (say, libc), you will install it without noticing anything.

So unless I can find a way to know the origin of the packets, I'd rather stay 
with unsigned repositories except for canonical ones. One can also argue that 
I can't trust them either but this is a level of risk I accept to live 
with ;-)
Maybe it's already available but I haven't found it so far - I use aptitude. 
What I'd like is at least 3 levels that I could assign to the repositories. 
It would be even better if I could have several disconnected groups (one for 
Canonical, one for multimedia stuff, ...). Or maybe simply to display the 
repository from which a package is downloaded.


More information about the kubuntu-users mailing list