[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Signing Packages.gz

On Sat, Mar 25, 2000 at 11:03:11PM +0100, Robert Bihlmeyer wrote:
> Chris Frey <cdfrey@foursquare.net> writes:
> > So my question is, what are your thoughts on adding a signature to the
> > current Packages.gz file, or adding a similar *dsc file for it,
> > which is then signed? 
> Do you want to sign each package entry, or the whole file? Whose
> signature would be used?

The whole file --- verifying each entry would take at least three minutes
on my hardware, and god knows how long on anything moderately old or
outdated. I certainly wouldn't want to try it on m68k on a regular basis,
eg. (If doing something just once takes a second; doing it 4000 times
takes a bit over an hour)

Whose key should be used? Probably a special one just for dinstall,
that's kept fairly securely by the Novare and -admin folks, and revoked

There doesn't really seem a huge amount of choice here, to me.


Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG encrypted mail preferred.

 ``The thing is: trying to be too generic is EVIL. It's stupid, it 
        results in slower code, and it results in more bugs.''
                                        -- Linus Torvalds

Attachment: pgprSCgWT4fhd.pgp
Description: PGP signature

Reply to: