Re: insecurity/threat of rpm, urpmi, apt-get installs?

From: Tim Haynes (
Date: 10/14/04

Date: Thu, 14 Oct 2004 18:01:03 +0100

Beowulf <> writes:

> I have to say almost all the packages I have installed via urpmi have had
> bad signatures, and i just go ahead and install them, not understanding
> why they have bad signatures. Have I been installing spyware or hacked
> binaries, or is such an event common and harmless? Without urpmi (apt-get
> equivalent) I end up in dependency hell, but with urpmi I end up
> installing bad signature rpms/libs; seems a no-win situation.

You certainly don't know that you haven't been installing bad things.

If you did get valid signatures for all your packages, you'd know that the
packages were as trustworthy as that signature - ie that you trusted the
signature as being indicative of redhat/mandrake/whoever's approval in the
first place, hoping that it hasn't been cracked or leaked since you first
established trust in it.

If you had only installed packages with correct signatures, you would have
had a *much* lower probability of anything having been wrong.


Headlights flash in the darkness       |
Memories twist in the rain             |