SlackwareThis Forum is for the discussion of Slackware Linux.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
If you don't have the key, downloading it from somewhere other than the same place you get the ISO is a wise move and the key server is as good a place as any. You should also check its fingerprint with someone who already has it before using it for extra reassurance.
Once slackware is installed, to use slackpkg, we run slackpkg update gpg for each new repo, right? Doesn't that script just grab the GPG-KEY from the repo over http/ftp without any added security? What's keeping someone from intercepting that request and returning an invalid gpg key for the repo?
Once slackware is installed, to use slackpkg, we run slackpkg update gpg for each new repo, right?
No. slackpkg only runs with the official Slackware repository. You only need to import the official GPG key once.
If you are using slackpkgplus for additional repos, then again, you only need to get each additional GPG key once. So you can get (for example) Alien Bob's key securely from a keyserver (gpg --keyserver pgp.mit.edu --recv-key 769EE011) before the first time you run slackpkgplus. After that, it doesn't matter if slackpkgplus uses http to download the packages and the signatures.
What's keeping someone from intercepting that request and returning an invalid gpg key for the repo?
Mostly you only need to worry about the server you're downloading from being hacked and dubious files being substituted. If you're up against an adversary with the ability to do realtime intercept and MITM of all your key requests and communication channels then I'm afraid you've got much larger concerns than worrying about whether your slackware iso's have been tampered with.
Get the key from the key server and check the fingerprint as described above. Let the tin-foil hat brigade worry about the rest.