[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Signing Packages.gz

On Fri, Mar 31, 2000 at 09:31:31PM -0700, Jason Gunthorpe wrote:
> On Sat, 1 Apr 2000, Anthony Towns wrote:
> > 	* the web of trust, and having the ftp-team sign it
> The average user has no entry to the web of trust, so this is just as
> useless. (and massively involved for our poor end user)

It's useful for a lot of people though (although nowhere near
most). People who're friends of a guy who's in a usergroup with a
guy who went to a conference that a developer went to who's also met
someone on the security team should theoretically be able to just say gpg
--somethingorother and get a list of the trust path, and a bright little
message that says `Hey, you have reason to trust this person, well done!'.

I don't know that gpg has such an option atm though, or whether the
keyservers are setup "appropriately" for such an operation to be really

But there's little cost from our end to make it possible at least.

> > Stick it on the ftp site, and use the web of trust. (If the secure-key that
> > you currently have trusts it, then it's good. Either because it's an update
> > of the old secure-key, or because it's an unstable-key).
> The security key must never be obsoleted, it should last the life time of
> the project - anything else is too complicated for our users :|

Not really possible. If one of the security team dies, or their equipment
gets stolen, or Quantum computing takes off, or... Heaps of things can
invalidate a key. The security one ought to last a few releases at least
though, enough so that manual reverification isn't too horrible.

Why would verifying a new security-key necessarily be significantly harder
than verifying a new unstable-key, though? In both cases you only really
want to check that its signed by the previous security-key.

> > or so before gzipping anything.
> I'd like a seperate global index, that is much more usefull really.

A global index wouldn't be entirely appropriate for partial mirrors. *shrug*

How would you go about signing half of a global index with the unstable
key, and leaving the rest signed by the security key?

Having a new file right next to the old Packages.gz file might be
easier to ensure mirroring too. I'm not sure where you'd put a global,
signed index? *shrug*

You could have both, if you wanted, too, I guess. How would the index
be particularly more useful?


Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG encrypted mail preferred.

 ``The thing is: trying to be too generic is EVIL. It's stupid, it 
        results in slower code, and it results in more bugs.''
                                        -- Linus Torvalds

Attachment: pgp8kbIsjmbRH.pgp
Description: PGP signature

Reply to: