Re: Packages debian needs
On Mon, May 19, 2003 at 05:35:51PM -0700, Timothy Webster wrote:
> --- Marc Wilson <msw@cox.net> wrote:
> > On Sun, May 18, 2003 at 07:51:16PM -0700, Timothy
> > Webster wrote:
> > > 3) Debian packages from peer to peer networks.
> >
> > You're kidding, right? You *actually* want to retrieve packages
> > from an unknown machine, from an unknown person, hand those packages
> > root on your machine, and see what happens?
>
> No I am not kidding. That is why we have package signing.
We don't have signatures on individual packages yet.
Our mirror system works pretty well, though, and is widely deployed. I
don't think a peer-to-peer system would be an improvement; at the moment
it's possible for the central mirror maintainers to contact leaf mirrors
when a problem is reported, but that would be impossible with a
peer-to-peer network.
> But you are right, we need to introduce a PKI directory at some point
> to hold public signing keys. With our current debian structure it
> wouldn't need to be much of directory, since most packages are created
> automatically with MD5 from maintainers. Buy the way MD5 is not strong
> enough, so we need to upgrade to secure signing.
Uploads are GPG-signed. The signing isn't exported to users as such, but
there are Release files in the archive storing the md5sums of Packages
files which themselves store the md5sums of all the packages, and the
Release files are accompanied by a signed Release.gpg file; so you can
do it. (There's even a tool to check all this if you want;
apt-check-sigs I think.)
MD5 is quite sufficient for the checksum part of this, I think; I'll be
really very impressed indeed if you manage to find a collision in MD5
which is also a valid .deb archive.
> > How does this work better than the current mirror system?
>
> This will greatly speed up subsequent local fetches from other
> machines in the same or near networks. Reduces the load on mirrors.
Use a proxy cache.
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: