[TriLUG] Debian vs Mandrake vs Redhat vs . . .

lfwelty lfwelty at redback.com
Tue Mar 11 12:50:35 EST 2003 

That was everything I needed.

And this gave me what I needed to get apt working w/ trilugs mirrors:
http://members.trilug.org/services_faq/TriLUG-mail-faq-4.html#ss4.6

Thanks!

Jeremy Portzer wrote:
> On Tue, 2003-03-11 at 10:01, lfwelty wrote:
> 
>>Jeremy Portzer wrote:
>>
>>>On Tue, 2003-03-11 at 00:48, Ben Pitzer wrote:
>>>
>>
>><cut>
>>
>>>Obviously you have a big misconception about what's going on with apt
>>>for RPM.  I would NEVER use it on my servers if it weren't checking the
>>>GPG signatures and assuring that the packages were the official ones
>>>from Red Hat Inc.
>>
>><cut>
>>
>>>--Jeremy
>>
>>/admitted-newby-w-apt
>>
>>What apt repository do you use?
> 
> 
> I've been using the TriLUG one (which I help maintain) though I now have
> my own mirror server at my employer.  For the "freshrpms" repository I
> just the default freshrpms.net site.  The only thing I use from this
> repository on my servers is apt itself; I do use xine, mplayer, alsa,
> and some other stuff on my laptop.
> 
> 
>>Is it kept up to date w/ rh's updates?
> 
> 
> Yes, of course ... that's the point.
> The TriLUG mirrors are updated nightly with rsync, and I'm doing the
> same on my internal server.  When the sendmail errata came out I
> manually re-ran the rsync to get it.
> 
> 
>>How do you check the GPG sigs?
>>
>>- for example:
>>'apt-get -d install kernel#<kernel-version>'
>>
>>  just downloads the package w/o unpacking;
> 
> 
> Correct, and then you can run rpm -K on the package file which lives in
> /var/cache/rpm/archive.  You'll need to run "gpg --import
> /usr/share/rhn/RPM-GPG-KEY" as root to put the Red Hat public key in
> root's keyring.  (Since apt-get and rpm run as root.)  With newer
> versions of Red Hat (8.0 and Phoebe), you can do "rpm --import
> /usr/share/rhn/RPM-GPG-KEY" since RPM can hold the GPG keys internally.
> 
> 
>>http://apt4rpm.sourceforge.net/
>>
>>discusses this gpg, but I still seem boggled.
>>
>>Would you mind spoon feeding me?
>>
>>I'm used to:
>>lfwelty-laptop:rh80-18> rpm -K kernel-2.4.18-18.8.0.i686.rpm
>>kernel-2.4.18-18.8.0.i686.rpm: (sha1) dsa sha1 md5 gpg OK
> 
> 
> Sure, that will work with the download-only option as mentioned above,
> and that's how I usually do it.  (Something like rpm -K
> /var/cache/rpm/archive/*.rpm )  Some versions of apt (0.3.something)
> support a -K option to apt-get, which will check the signature for you
> before installing the RPM.  For example "apt-get -K upgrade" .  You
> apparently have to look through the output, see if it everything passed,
> and then run it again without -K to actually upgrade the packages.
> 
> Note that there is some discussion of a file called vendors.list where
> you put GPG keys. This only applies to the signing of the "Packages.gz"
> file, which lists what packages are in the repository, and not the
> packages themselves.  Since Red Hat doesn't run its own apt repository,
> you can't put the Red Hat public key here.  (If you use the FreshRPM
> repository, you could put Matthias Saou's public key here if you trust
> him.)  I find this feature somewhat limited since it
> 
> Hope this helps,
> Jeremy
> 
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> 

-- 
------------------------------------------------------------------
Frank Welty                |  15401 Weston Parkway, Suite 150
lfwelty at redback.com        |  Cary, NC 27513
Redback Networks           |  desk:919.678.2175 m: 919.264.7495
------------------------------------------------------------------

More information about the TriLUG mailing list