[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securely retrieving dscs from snapshot.debian.org

On Sat, Dec 30, 2017 at 6:57 PM, peter green wrote:

> * what keys would be used to sign these re-signed release files? You
> wouldn't want to use a regular Debian archive key because you wouldn't want
> people to be able to use snapshots to attack Debian users.

They would have to be separate keys to the Debian archive key because
that is on a HSM.

> * How secure would the re-signing infrastructure be?

I guess the signing would have to be online and on-demand, so we
probably would have one offline key with subkeys in HSMs at each
snapshot location.

> It wouldn't solve the issue of how to find that
> damn Release/Sources pair in the first place.

I would leave that part to apt plus the API:

deb-src http://snapshot.debian.org/archive/debian/20160729T163942Z/

> I have attatched my attempt at a tool for downloading source packages
> securely from snapshot.debian.org. It seems to work, comments/improvements
> welcome.

If you would like to add more endpoints to the API, that would
probably be a good idea to reduce the complexity of your script.



Reply to: