Re: Verification of Package Files When Using Sources.List.

To: or-talk@xxxxxxxxxxxxx

Subject: Re: Verification of Package Files When Using Sources.List.

From: Justin Aplin <jmaplin@xxxxxxx>

Date: Sun, 2 Jan 2011 19:58:13 -0500

Delivered-to: archiver@xxxxxxxx

Delivered-to: or-talk-outgoing@xxxxxxxx

Delivered-to: or-talk@xxxxxxxx

Delivery-date: Sun, 02 Jan 2011 19:58:23 -0500

In-reply-to: <4D20FD4C.4010509@xxxxxxxxx>

References: <4D20FD4C.4010509@xxxxxxxxx>

Reply-to: or-talk@xxxxxxxxxxxxx

Sender: owner-or-talk@xxxxxxxxxxxxx

On Jan 2, 2011, at 5:33 PM, Matthew wrote:

I did post this before in November but got no responses. Hopefully this wasn't because the question was so dumb.

Not at all. If by "using the sources.list file" you mean using Apt, Aptitude, or Synaptic, then yes, verification is done automatically. You can read more about the process here:

http://wiki.debian.org/SecureApt

~Justin Aplin

-------------

My /etc/apt/sources.list contains:

deb http://deb.torproject.org/torproject.org lucid main

In the "authentication" section of my "software sources" I have a deb.torproject.org archive signing key dated 2009-09-04 with a value 886DDD89.

I was looking at the page which explains how to verify signatures for downloads: https://www.torproject.org/docs/verifying-signatures.html.en

If one is not directly downloading but using the sources.list file is the "authentication" section adequate to verify the validity of the downloads?

Thanks