Re: Proposal: increasing mirror security

[Brandon Mitchell <bhmit1@mail.wm.edu>]

On Mon, 25 Jan 1999, Wichert Akkerman wrote:

> If people really want to be able to verify package integrity we might as
> well go the whole way. Ian Jackson posted (1.5 years ago I think) a
> proposal that would secure the complete stage from building a package to
> distribution on the mirrors.
> 
> You might want to look that up in the list archives.

I found what looks like the thread in reference on Feb 97:
http://www.debian.org/Lists-Archives/debian-devel-9702/threads.html

However, 1) half the month (and thead) is missing, and 2) it seems to
detail getting the package into the mirror with little concern once it's
there.  I have a bit of faith in pgp signing the packages and uploading
them.  I'm a bit more concerned once it's there since users don't see
these pgp signatures.  If the package.gz file was signed, we would be
pretty good, but apt and dselect can't handle that kind of change.  So I'm
proposing the file be signed but the signature being kept in a separate
file.  For the mirror maintainers, this involves:

pgp -sab Packages
mv Packages.asc Packages.pgp  # or maybe we don't need this

Thanks,
Brandon

+---                                                              ---+
| Brandon Mitchell * bhmit1@mail.wm.edu * http://bhmit1.home.ml.org/ |
| The above is a completely random sequence of bits, any relation to |
|               an actual message is purely accidental.              |