[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dupload similar for master?



Lalo Martins <lalo@webcom.com> wrote:
> On Aug 10, Stephen J. Carpenter decided to present us with:
> > On Mon, Aug 10, 1998 at 03:03:40PM -0300, Lalo Martins wrote:
> > > ---
> > > drsign lets you remotely sign a file. It basically does:
> > > 1: ask your ssh/scp passphrase
> > > 2: ask your pgp passphrase
> > > 3: scp-downloads the file(s) you want to sign
> > > 4: sign them
> > > 5: scp-uploads them back

OK, this is great for people who have a permanent net connection but a slow
CPU, low memory, etc. But, for people who have a slow and/or inexpensive net
connection, another option is required.

The build goes ahead on master (using "nohup"), then, when its finished, it
PGP encrypts the files which need signing, emails them to you, you then PGP
sign these files and mail them back.

It would also be better if the PGP-signing was done completely locally,
i.e. PassPhrase never transmitted. This could be accomplished by
having the program running on master signal a program running on your
machine, which then does the PGP-signing (this is better, because then
you can select the tty it runs on), and signals it back. eg, you are
running "drsign_signer" (in an xterm, lets say), and the program from
master ssh's in and runs "drsign_signer -s blah.dsc blah.changes", which
in turn signals the original program, waits for it to finish signing the
two files, then returns. The program from master then retrieves the newly
signed files.

Another feature which I think would be useful in dupload is the ability
(after all, we now have pristine source for most of our packages) to instead
of uploading the orig.tar.gz to master, ftp it to master from, say
ftp.gnu.org (much much faster for people with modem connections).

> > hmm and since the files are small...no real problem...and since you are
> > sshed in anyway (we should hope) its not too bad giving it your
> > pgp passphrase...

> The beautiful thing is, neither passphrase goes trough the web.
> The pgp-signing is made in your own machine.

Hmmm, well both passphrases goes through an ssh connection. How secure do
you think ssh is? They both also go through a program on master. How secure
do you think master is? What about a trojan attack?

> > > ---
> > > dcheckin does just like dupload, but no ftps; it just cp's the
> > > files to the correct locations in master and then announces to
> > > the correct list, and anything else dupload does (like checking
> > > md5sums before anything). I don't know, maybe dupload is able to
> > > do that, but there's no dupload in master AFAICT.
> > 
> > I don't see the need to go through the extra work of 
> > this when we have a perfectly fine dupload....why not just
> > have dupload installed on master for installing from master?
> > 
> > it would just be ftp'in to itself...no real problem with speed
> > (tho...maybe dupload could be made to realize it is on master
> > and "skip the ftp middle man")

> A fine option. Dupload have "methods" which currently can be scp
> or ftp; just add a "local" method (or maybe call it "cp") and
> configure the dupload running in master to always use this
> method.

> And when we use dupload in master, it would also be cool to be
> able to skip the "-to master" - sounds dumb :-)

Sounds good.

> []s,
>                                                |alo
>                                                +----
> --
>    Howling to the moonlight on a hot summer night...
> http://www.webcom.com/lalo      mailto:lalo@webcom.com


> Free Software Union       --       http://www.fslu.org
> Debian GNU/Linux       --        http://www.debian.org

> ------------------------------
-- 
Tom Lees <tom@lpsg.demon.co.uk> <tom@debian.org>  http://www.lpsg.demon.co.uk/
PGP Key: finger tom@master.debian.org, http://www.lpsg.demon.co.uk/pgpkeys.asc.


Reply to: