[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Signing Packages.gz

Anthony Towns <aj@azure.humbug.org.au> writes:

> On Sat, Mar 25, 2000 at 11:03:11PM +0100, Robert Bihlmeyer wrote:
> > Do you want to sign each package entry, or the whole file?
> The whole file --- verifying each entry would take at least three minutes
> on my hardware, and god knows how long on anything moderately old or
> outdated.

Verifying /one/ entry takes three minutes? On my 486 box (which I'd
call moderately outdated) verifying a 1024 bit DSS signature with GPG
takes under two seconds. (Or did you mean verifying all entries? See

> I certainly wouldn't want to try it on m68k on a regular basis,
> eg. (If doing something just once takes a second; doing it 4000 times
> takes a bit over an hour)

There is no need to check all of them - only those for packages that
are about to get installed. For reference: on said 80486 "apt-get
install gnupg" took over two minutes (without downloading). Adding two
seconds to that would be no problem, IMHO.

One thing to consider is that this would make the Package.gz file
noticeably bigger.

> Whose key should be used? Probably a special one just for dinstall,
> that's kept fairly securely by the Novare and -admin folks, and revoked
> regularly.

This key's security value would not be much above that of the debian
machines themselves. You'd get about the same security by a mirror of
master, that is administed by the same people (does this mirror

Whose key should be used by entry-level signing? I assume that .debs
are created by an automated process with no user intervention.


Reply to: