Re: Proposal: increasing mirror security
On Jan 25, Brandon Mitchell decided to present us with:
> The thought I had was to make pgp signatures of the package
> files and save them as Packages.pgp. This will not interfear
> with the current package files, therefore we are still
> backwards compatable. Then apt could check for a pgp file and
> verify it for the user. If it fails, it could just warn the
> user and ask to continue.
Sounds good, as long as I can shut it off :-) Also, it should
use the keyring in developers-keyring or one that comes with
apt, otherwise the point is moot (anyone who can upload a .deb
with a trojan can upload a Packages.pgp with a signature)
> This would require: a) gnu's version of pgp to work (so that we
> don't request non-free software to get the free software)
Here we go again. This would have the problem of requiring all
developers to switch to gpg.
OTOH, we could just sign all packages with a same key ("the
Debian key"); when dinstall verifies the signature and md5sum in
the .changes file, it signs the package and updates
Packages.pgp). One added advantage of this is that apt only has
to care about one key - it may even have it hardwired if gpg
> and the bad part b) someone to be at the console when
> generating packages files to type the pgp password.
Huh? You don't need the passphrase to verify signatures.
I am Lalo of deB-org. You will be freed.
Resistance is futile.
pgp key in the web page
Debian GNU/Linux -- http://www.debian.org