[LBo] Mint Linux

[Jisao]

On Tue, 28 Aug 2007 11:34:04 -0500, Troy wrote
> > Even when a repository sign their packages, you don't "need" to check 
the
> > signature to see if the packages are "mint" (pardon the pun ;0D).
> >
> > So, the goal of signing is very different from the "signed by 
Micro$oft".
> 
> Jisao,
> 
> Thanks for your response.  If I understand  correctly, signing is a 
> way to ensure the package is authentic (has not been hacked).  By 
> using Mint Linux, who does not support signed packages in their 
> repository, am I at a greater risk for downloading and installing a 
> hacked package?
 
I don't have an informed answer.  My guess would be that yes, there is a 
greater risk.  However, how much is "greater"?  Hard to quantify.  And more 
importantly, what would be the consequence for you to have a "damaged" 
system from an improper download/update?

As a home user, it might be an acceptable risk.  It all depends. I 
personally don't verify the Debian packages I apt-get. 


> Even if a repository signs their packages, is there still the possibility
> the package could have been hacked, or is signing a package a 
> guarantee the package is authentic?

I don't know about 100% guarantee, but it is pretty difficult to hack a key.  
So I would say that it reduces the risk to a very acceptable level, even for 
a corporation.

> 
> To help me put signing into terms I understand, is signing a package 
> similar to MD5 Sum?

Not exactly. I am not an expert in signing, but I would say that MD5sum is 
adding up a list to a total and see if you come up with the same total doing 
the sum on what you have, whereas signing is like translating it to some 
garbled contents, which you have the special key to ungarble. As the 
garbling key is secret, the fact that you can ungarble it means you got the 
contents from the right sender, in this case the repository.

I hope my explanation is clear.
> 
> Learning something new everyday!

:-)