Re: Securely retrieving dscs from snapshot.debian.org
On Sat, Dec 30, 2017 at 6:57 PM, peter green wrote:
> * what keys would be used to sign these re-signed release files? You
> wouldn't want to use a regular Debian archive key because you wouldn't want
> people to be able to use snapshots to attack Debian users.
They would have to be separate keys to the Debian archive key because
that is on a HSM.
> * How secure would the re-signing infrastructure be?
I guess the signing would have to be online and on-demand, so we
probably would have one offline key with subkeys in HSMs at each
> It wouldn't solve the issue of how to find that
> damn Release/Sources pair in the first place.
I would leave that part to apt plus the API:
> I have attatched my attempt at a tool for downloading source packages
> securely from snapshot.debian.org. It seems to work, comments/improvements
If you would like to add more endpoints to the API, that would
probably be a good idea to reduce the complexity of your script.