http://desktoplinuxreviews.com/2010/09/ ... t-9-debian
One of the comments, by Brian Masinick, however, stated this:
In another comment, the same user writes the following:I was dismayed to see that, once again, the Mint software management programs are unable to cope with package authentication keys. I explicitly checked and enabled all of the Debian related keys and used apt-get instead of the good looking (but under-protective) package management tools, and then had the results I was looking for. I say this and it disturbs me because the typical audience for Mint isn’t going to know anything about package keys, and won’t see or know what they are missing, especially since the Mint tools silence those kinds of messages. If that doesn’t bother you, then ignore me, but I think it bears repeating because not many people know about the issue. Package authentication keys are safeguards against having felonious packages substituted for packages in the system. Mint takes safeguards, I am sure, but even the much heralded Debian project has been compromised in the past, so don’t be too smug or secure in thinking it couldn’t happen again. It could, so that’s why I am issuing the warning.
And, later, he continues:I don’t like the Mint handling of packages using their GUI based tools that Jim likes so much. They are simple, but they hide and obscure the fact that the package signatures are missing on a lot of packages.
Turns out that at least on the Debian side, you CAN install the package signature keys. I did that, grabbing them from the Debian repository. Once I did that, I manually installed some stuff using apt-get and then it worked the way that I want it to work. The way that Mint ships it is fundamentally insecure, and leaves them wide open to package attacks. They’d better lock down their repos like a fort. Debian thought they were so tightly and carefully controlled, but in the decade that I’ve used Debian, they’ve had their servers attacked two or three times. Debian was right on top of it, but the intruders did get in. Perhaps Mint will be on top of things too. It’s just that since package keys are widely available and Debian has them, Mint ought to enable them. The reason they don’t seems to be that their Software Manager can’t handle them properly. The Mint guys don’t know how to set the package priorities to prefer their packages (which may have fixes that they’ve implemented) over the upstream packages – at least that was the claimed problem when using Ubuntu repositories. Mint developers have not (at least not yet) fixed this issue even though Debian has great keys and excellent authentication.
Since I am still a newbie and know very little about the internals of APT, could you please guys, for the sake of clarity, tell us, Mint users, if this is something we should be worried about?I used apt-cache search keyring | more
to find stuff like this. One file you want to make sure is installed is debian-archive-keyring – GnuPG archive keys of the Debian archive. If you use multimedia, make sure that debian-multimedia-keyring is included. Any other repositories that are included need to have their corresponding keyring installed, otherwise packages for that repository have no check to ensure their authenticity.
Thank you very much.