Active Topics
-
Nokia FW servers dead (126)
to MeeGo / Harmattan by tvandorffy - 10 hrs, 29 mins ago -
How to force MMS to use cellular network for data? (2)
to SailfishOS by taixzo - 12 hrs, 55 mins ago -
Crash/poweroff after entering SIM PIN (6)
to Nokia N9 / N950 by nonsuch - 1 day, 22 hrs ago -
Phone Camera Competition May 2021: "spring is here" (3)
to General by robthebold - 2 days, 7 hrs ago -
Not clickbait "NOKIA STILL MAKING PHONES, BUT FOR INDUSTRIAL USES" (3)
to Competitors by biketool - 3 days, 12 hrs ago -
Phone Camera Competition April 2021: "Funny & Foolish" (38)
to General by peterleinchen - 3 days, 22 hrs ago -
A Palm OS thread ... and a thank you to the community (24)
to Alternatives by meemorph - 4 days, 17 hrs ago -
MeeGo v1.2.0.1x for Netbook (0)
to MeeGo / Harmattan by teroyk - 4 days, 17 hrs ago - more...
 |
try-alls |
2011-01-19
, 16:19
|
|
Posts: 95 |
Thanked: 51 times |
Joined on Sep 2010
@ staffordshire, uk
|
#21
|
Originally Posted by retsaw
nice one now i have a reason to install tempy
|
|
2011-01-19
, 18:47
|
|
Posts: 362 |
Thanked: 143 times |
Joined on Mar 2008
|
#23
|
Originally Posted by retsaw
@retsaw, thanks for your feedback. btw, I was thinking to use apt-get to download the packages/files only and NOT to installing them. I might have not made my question clear; sorry. Would that still work?
No, if it worked at all it'd just mess up your Ubuntu install.
You just run that command on your N900 and if you wanted its output to go in a text file you'd append something like ">/home/user/MyDocs/packages.txt" to redirect the output to a file called "packages.txt" on your MyDocs partition.
My rational is to get all these packages onto a SD or some local storage as backup; then I would be free from having to be online for re-install of these apps. I know there is a backup app(ie. the one in extra testing/dev) that does a good job for the N900; but it would not help for the case where I want to do a clean re-install of everything.
Sorry for the some what long winded post
; I look forward to your comments.Cheers,
 |
|
2011-01-19
, 19:06
|
|
Posts: 1,455 |
Thanked: 3,309 times |
Joined on Dec 2009
@ Rochester, NY
|
#24
|
Originally Posted by zimon
But that check relies on getting the public key from the repository it's from, which you get when you first download the RPM repository setup file. If you grab an RPM for a repository you don't have in your list, it will throw a signing error and you'd have to use --force to make it install the rpm anyway. (Or download and install the repository and its key.)
I was referring (but not mentioning) to the fact that doing package install that way (dpkg -i) one doesn't check the authenticity of the package in any way. If it would be a rpm-package instead, the GPG-signature would come embedded and would be checked automatically before installation (rpm -i).
Dependency-wise the two system are identical, but not security-wise.
I will grant that it's nice to at least have an attempt to automate some minor level of security into the package manager. But really, it's not that terribly secure. All that signature means is that the repository you're getting data from has signed it. Most repositories will auto-sign anything uploaded. A signature doesn't mean it's been validated in any way to not contain bad software, just that it came from that particular repository.
Frankly, if you're downloading and manually installing packages (rpm or deb), you're probably taking some trust issues on anyway in where you're downloading it from. Just like you do for enabling a repository to start with, in either system.
|
|
2011-01-19
, 20:22
|
|
Posts: 3,617 |
Thanked: 2,412 times |
Joined on Nov 2009
@ Cambridge, UK
|
#25
|
Originally Posted by cheve
You should be able to, yes - you'll need to use the "-d" flag to apt-get to prevent it installing the packages.
noop question, would one change the repository for apt-get on a linux box(say Ubuntu) to pointing to the maemo repository and then execute the apt-get to download the packages(with all dependence).
| The Following User Says Thank You to Rob1n For This Useful Post: | ||
|
|
2011-01-19
, 21:26
|
|
Posts: 1,341 |
Thanked: 708 times |
Joined on Feb 2010
|
#26
|
Originally Posted by woody14619
The repository's GPG-public key is most likely in the system already, unless you are installing from scratch when installing manually package by package is practically impossible anyway.
But that check relies on getting the public key from the repository it's from, which you get when you first download the RPM repository setup file. If you grab an RPM for a repository you don't have in your list, it will throw a signing error and you'd have to use --force to make it install the rpm anyway. (Or download and install the repository and its key.)
I will grant that it's nice to at least have an attempt to automate some minor level of security into the package manager. But really, it's not that terribly secure. All that signature means is that the repository you're getting data from has signed it. Most repositories will auto-sign anything uploaded. A signature doesn't mean it's been validated in any way to not contain bad software, just that it came from that particular repository.
Frankly, if you're downloading and manually installing packages (rpm or deb), you're probably taking some trust issues on anyway in where you're downloading it from. Just like you do for enabling a repository to start with, in either system.
So in the situation like the OP is talking about, having rpm packages would cause check of their authenticity correctly and without extra trouble for the end user.
Having embedded GPG signature in the package makes it possible to check there was no MITM-attack between you and the repository even if you transfer and install packages in some other means than with "normal" repository tools (apt,yum,zypper) straight from repository to your end system.
In the ideal world, a developer (automatically) signs the .src.rpm -package before it is taken to repositories to be build and signed with repository's GPG-key. Or, if you get the package straight from the developer, it is also automatically signed when developer builds the binary or source package (rpmbuild -ba --sign). RPM-package format makes this all possible and consistent. Debian people would make FOSS-world a favor and let go of its stubbornness and change from deb-package system to rpm, like LSB wishes.
With deb-system there is quite lot manual work to do so authenticity chain wouldn't have weak links between a developer and an end user. Many people just refuse to see it, although in this thread again the weak links are obvious and visible.
Last edited by zimon; 2011-01-19 at 21:31.
| The Following User Says Thank You to zimon For This Useful Post: | ||
|
|
2011-01-19
, 21:55
|
|
Posts: 701 |
Thanked: 585 times |
Joined on Sep 2010
@ London, England
|
#27
|
Originally Posted by cheve
It's do-able, but would alse involve copying across the dpkg database (so it knows what is already installed and thus which dependencies are needed) and getting it to use that rather than the one for the Ubuntu install, as well as getting it to use the Maemo repositories. I'm sure it can be done, but I'm not sure how simple it would be to set up.
@retsaw, thanks for your feedback. btw, I was thinking to use apt-get to download the packages/files only and NOT to installing them. I might have not made my question clear; sorry. Would that still work?
| The Following User Says Thank You to retsaw For This Useful Post: | ||
|
|
2011-01-19
, 22:40
|
|
Posts: 362 |
Thanked: 143 times |
Joined on Mar 2008
|
#28
|
Originally Posted by retsaw
@Rob1n, retsaw: thanks for your comments. I have Ubuntu on a VM and will give it a try.
It's do-able, but would alse involve copying across the dpkg database (so it knows what is already installed and thus which dependencies are needed) and getting it to use that rather than the one for the Ubuntu install, as well as getting it to use the Maemo repositories. I'm sure it can be done, but I'm not sure how simple it would be to set up.
Cheers,
