[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Signing Packages.gz

On Sun, Mar 26, 2000 at 09:00:34AM +1000, Anthony Towns wrote:
> The whole file --- verifying each entry would take at least three minutes
> on my hardware, and god knows how long on anything moderately old or
> outdated. I certainly wouldn't want to try it on m68k on a regular basis,
> eg. (If doing something just once takes a second; doing it 4000 times
> takes a bit over an hour)

I don't think it is useful to sign the Packages file, because:
> Whose key should be used? Probably a special one just for dinstall,
> that's kept fairly securely by the Novare and -admin folks, and revoked
> regularly.

Any such key would have to be considered insecure, no matter how soon you
revoke it. So the paranoid people still don't trust it, and the other don't
care (probably).
> There doesn't really seem a huge amount of choice here, to me.

Packages should come with their *.changes file, and dpkg should have an
option to verify the signature of individual packages. There was some
discussion about this in the past. The trick is that security should be
implemented in dpkg(-dev), not somewhere else. This has the advantage that
it works also with individual packages you don't get from an archive source.
It cuold also be used to verify the origin of the package.


`Rhubarb is no Egyptian god.' Debian http://www.debian.org Check Key server 
Marcus Brinkmann              GNU    http://www.gnu.org    for public PGP Key 
Marcus.Brinkmann@ruhr-uni-bochum.de,     marcus@gnu.org    PGP Key ID 36E7CD09
http://homepage.ruhr-uni-bochum.de/Marcus.Brinkmann/       brinkmd@debian.org

Reply to: