[TriLUG] Debian vs Mandrake vs Redhat vs . . .

Jeremy Portzer jeremyp at pobox.com
Tue Mar 11 11:21:39 EST 2003 

On Tue, 2003-03-11 at 10:01, lfwelty wrote:
> Jeremy Portzer wrote:
> > On Tue, 2003-03-11 at 00:48, Ben Pitzer wrote:
> > 
> <cut>
> > Obviously you have a big misconception about what's going on with apt
> > for RPM.  I would NEVER use it on my servers if it weren't checking the
> > GPG signatures and assuring that the packages were the official ones
> > from Red Hat Inc.
> <cut>
> > --Jeremy
> 
> /admitted-newby-w-apt
> 
> What apt repository do you use?

I've been using the TriLUG one (which I help maintain) though I now have
my own mirror server at my employer.  For the "freshrpms" repository I
just the default freshrpms.net site.  The only thing I use from this
repository on my servers is apt itself; I do use xine, mplayer, alsa,
and some other stuff on my laptop.

> Is it kept up to date w/ rh's updates?

Yes, of course ... that's the point.
The TriLUG mirrors are updated nightly with rsync, and I'm doing the
same on my internal server.  When the sendmail errata came out I
manually re-ran the rsync to get it.

> How do you check the GPG sigs?
> 
> - for example:
> 'apt-get -d install kernel#<kernel-version>'
> 
>   just downloads the package w/o unpacking;

Correct, and then you can run rpm -K on the package file which lives in
/var/cache/rpm/archive.  You'll need to run "gpg --import
/usr/share/rhn/RPM-GPG-KEY" as root to put the Red Hat public key in
root's keyring.  (Since apt-get and rpm run as root.)  With newer
versions of Red Hat (8.0 and Phoebe), you can do "rpm --import
/usr/share/rhn/RPM-GPG-KEY" since RPM can hold the GPG keys internally.

> http://apt4rpm.sourceforge.net/
> 
> discusses this gpg, but I still seem boggled.
> 
> Would you mind spoon feeding me?
> 
> I'm used to:
> lfwelty-laptop:rh80-18> rpm -K kernel-2.4.18-18.8.0.i686.rpm
> kernel-2.4.18-18.8.0.i686.rpm: (sha1) dsa sha1 md5 gpg OK

Sure, that will work with the download-only option as mentioned above,
and that's how I usually do it.  (Something like rpm -K
/var/cache/rpm/archive/*.rpm )  Some versions of apt (0.3.something)
support a -K option to apt-get, which will check the signature for you
before installing the RPM.  For example "apt-get -K upgrade" .  You
apparently have to look through the output, see if it everything passed,
and then run it again without -K to actually upgrade the packages.

Note that there is some discussion of a file called vendors.list where
you put GPG keys. This only applies to the signing of the "Packages.gz"
file, which lists what packages are in the repository, and not the
packages themselves.  Since Red Hat doesn't run its own apt repository,
you can't put the Red Hat public key here.  (If you use the FreshRPM
repository, you could put Matthias Saou's public key here if you trust
him.)  I find this feature somewhat limited since it

Hope this helps,
Jeremy

More information about the TriLUG mailing list