Re: Proposal: increasing mirror security
On Mon, 25 Jan 1999, Lalo Martins wrote:
> Sounds good, as long as I can shut it off :-) Also, it should
> use the keyring in developers-keyring or one that comes with
> apt, otherwise the point is moot (anyone who can upload a .deb
> with a trojan can upload a Packages.pgp with a signature)
The only person that can upload a Packages.pgp file is the mirror
maintainer. The explination is below.
> > This would require: a) gnu's version of pgp to work (so that we
> > don't request non-free software to get the free software)
> Here we go again. This would have the problem of requiring all
> developers to switch to gpg.
I definately messed up this point, the only thing that is signed is the
_packages file_, not the individual packages. The only person with gpg is
the mirror maintainer. Actaully, as long as gpg is compatable with pgp,
that doesn't even matter and the apt user simply picks what they want to
> > and the bad part b) someone to be at the console when
> > generating packages files to type the pgp password.
> Huh? You don't need the passphrase to verify signatures.
Not verify, create. The pgp signature is for the packages file, not the
developers packages themselves. This just means the process of moving
files from incoming to the tree needs to have a person at the console
because after the file is moved and the Packages and Packages.gz file are
created, the Packages file needs a pgp signature stored in Packages.pgp.
A less secure version would be to have the Packages.pgp file generated
Sorry about the confusion,
| Brandon Mitchell * email@example.com * http://bhmit1.home.ml.org/ |
| The above is a completely random sequence of bits, any relation to |
| an actual message is purely accidental. |