Re: Signing Packages.gz
On Sun, Mar 26, 2000 at 09:00:34AM +1000, Anthony Towns wrote:
> The whole file --- verifying each entry would take at least three minutes
> on my hardware, and god knows how long on anything moderately old or
> outdated. I certainly wouldn't want to try it on m68k on a regular basis,
> eg. (If doing something just once takes a second; doing it 4000 times
> takes a bit over an hour)
I don't think it is useful to sign the Packages file, because:
> Whose key should be used? Probably a special one just for dinstall,
> that's kept fairly securely by the Novare and -admin folks, and revoked
Any such key would have to be considered insecure, no matter how soon you
revoke it. So the paranoid people still don't trust it, and the other don't
> There doesn't really seem a huge amount of choice here, to me.
Packages should come with their *.changes file, and dpkg should have an
option to verify the signature of individual packages. There was some
discussion about this in the past. The trick is that security should be
implemented in dpkg(-dev), not somewhere else. This has the advantage that
it works also with individual packages you don't get from an archive source.
It cuold also be used to verify the origin of the package.
`Rhubarb is no Egyptian god.' Debian http://www.debian.org Check Key server
Marcus Brinkmann GNU http://www.gnu.org for public PGP Key
Marcus.Brinkmann@ruhr-uni-bochum.de, firstname.lastname@example.org PGP Key ID 36E7CD09