Debian: apt-get

From ReceptiveIT
Jump to: navigation, search

The following is a quote from the APT Howto

In the beginning there was the .tar.gz. Users had to compile each program that they wanted to use on their GNU/Linux systems. When Debian was created, it was deemed necessary that the system include a method of managing the packages installed on the machine. The name dpkg was given to this system. Thus the famous `package' first came into being on GNU/Linux, a while before Red Hat decided to create their own `rpm' system.

A new dilemma quickly took hold of the minds of the makers of GNU/Linux. They needed a rapid, practical, and efficient way to install packages that would manage dependencies automatically and take care of their configuration files while upgrading. Here again, Debian led the way and gave birth to APT, the Advanced Packaging Tool, which has since been ported by Conectiva for use with rpm and has been adopted by some other distributions.

Managing PGP keys

apt-get update should never ever update the keys automagically.
There is you (The Administrator) who declare trusted sites. apt-get update can only refetch the {Release,Package,Source}.gpg and check signatures.

Warnings you got from apt-get update just says that those repositories are not trusted. To trust declare the repository as trusted just should fetch a key for the repository, make sure it is a valid key then run apt-key add. For example, to make an official Debian repository trusted you should run:

wget http://ftp-master.debian.org/ziyi_key_2006.asc
apt-key add ziyi_key_2006.asc


If you just want to declare a repository as trusted just run:

gpg --recv-key KEY_ID && gpg -a --export KEY_ID | apt-key add -

where KEY_ID is a string after NO_PUBKEY. For example for Blackdown at ftp.gwdg.de you should replace KEY_ID with BB5E459A529B8BDA.

And last but not least.
To be precise: by adding a key to apt-get keyring you will trust _all_ repositories signed with this key.