Debian untrusted packages problem

I tried to install cvs (a standard tool):
It gave me the following warning:

Code:

Untrusted packages could compromise your system's security.
You should only proceed with the installation if you are certain that
this is what you want to do.

  cvs 

Here is my sources.list file:

Code:

deb http://ftp.us.debian.org/debian/ lenny main contrib non-free
deb-src http://ftp.us.debian.org/debian/ lenny main contrib non-free

deb http://security.debian.org/ lenny/updates main
deb-src http://security.debian.org/ lenny/updates main

deb http://volatile.debian.org/debian-volatile lenny/volatile main
deb-src http://volatile.debian.org/debian-volatile lenny/volatile main

deb http://www.debian-multimedia.org lenny main

I have imported the debian-multimedia keyring, so everything should be authentic. Why am I getting this warning message ?

 

I don't know what the problem is here, but I think it is worth clearing up a little misconception that you have.

The debian-multimedia-keyring is only applicable to the third-party multimedia repository, the last one in your list. You should have other keyrings for the debian repositories - most likely debian-archive-keyring.

Type the following to see the keyring packages that you have installed:

dpkg -l '*keyring*' | grep ^i

You can also look in /usr/share/keyrings to see what keyrings are in there.

 

I am not a 100% sure, but it might be due to the volatile repos and it is trying to grab CVS from it. I have never used it myself. Why do you have it?

 

I think it is unlikely that the cvs package would be coming from volatile but you can easily check which repository with:

apt-cache policy cvs

 

I have the following:

Code:

# apt-cache policy cvs
cvs:
  Installed: 1:1.12.13-12
  Candidate: 1:1.12.13-12
  Version table:
 *** 1:1.12.13-12 0
        500 http://ftp.us.debian.org lenny/main Packages
        100 /var/lib/dpkg/status

So its from main lenny

My keyrings:

Code:

/usr/share/keyrings# ls
debian-archive-keyring.gpg  debian-archive-removed-keys.gpg  debian-multimedia-keyring.gpg  debian-multimedia-removed-keys.gpg

 

I'm not sure why I have the volatile repos ---- what does the volatile repo have ?

 

Volatile contains packages such as virus scanners e.g. clamav.

You could try commenting out volatile and then doing an update. There's a bug related to volatile and it's keyring not being in the Etch release and the maintainers repeated the mistake for the Lenny release. I don't see how it would apply as apt would have downloaded from the main repository.

The other possibility is that your debian-archive-keyring has got corrupted?

 

Comment it out and run an update. I have never used it. If I remember right it has very new versions of packages that haven't been tested very much. Debian prides itself by being a very stable distro, which it is. I have always used the main repos, security and multimedia and the only other repos I have used are from third party companies that keep their packages in their own server/area, like btnx or opera etc.

Here is a little bit more info on it.

 

The Fire Snake, thanks for the info

Yeah I'm puzzled too. Apt did doanload from the main repo.
How can I find out if the debian-archive-keyring has been corrupted ? How would I fix it ?

 

I don't know the correct way (I thought of using debsums but the debian-archive-keyring doesn't have any file md5sum checksums and doh! I guess gpg keys are sort of checksums in themselves). Anyway, I had a little play around and the following command list 6 public keys for the debian archives. Both my Sidux and Etch system list Lenny and Lenny volatile. Playing with a hex editor on a copy of the file, I corrupted the last key and got an error when I reran the command.

Alternatively, you could download the debian-archive-keyring .deb package and extract to a temporary directory and then md5sum checksum the temporary copy and then compare with md5sum of the installed files. I'm assuming based on listing the package contents (dpkg -L) that the files are simply copied rather than constructed?