On Fri, Mar 31, 2000 at 09:31:31PM -0700, Jason Gunthorpe wrote: > On Sat, 1 Apr 2000, Anthony Towns wrote: > > * the web of trust, and having the ftp-team sign it > The average user has no entry to the web of trust, so this is just as > useless. (and massively involved for our poor end user) It's useful for a lot of people though (although nowhere near most). People who're friends of a guy who's in a usergroup with a guy who went to a conference that a developer went to who's also met someone on the security team should theoretically be able to just say gpg --somethingorother and get a list of the trust path, and a bright little message that says `Hey, you have reason to trust this person, well done!'. I don't know that gpg has such an option atm though, or whether the keyservers are setup "appropriately" for such an operation to be really feasible. But there's little cost from our end to make it possible at least. > > Stick it on the ftp site, and use the web of trust. (If the secure-key that > > you currently have trusts it, then it's good. Either because it's an update > > of the old secure-key, or because it's an unstable-key). > The security key must never be obsoleted, it should last the life time of > the project - anything else is too complicated for our users :| Not really possible. If one of the security team dies, or their equipment gets stolen, or Quantum computing takes off, or... Heaps of things can invalidate a key. The security one ought to last a few releases at least though, enough so that manual reverification isn't too horrible. Why would verifying a new security-key necessarily be significantly harder than verifying a new unstable-key, though? In both cases you only really want to check that its signed by the previous security-key. > > or so before gzipping anything. > I'd like a seperate global index, that is much more usefull really. A global index wouldn't be entirely appropriate for partial mirrors. *shrug* How would you go about signing half of a global index with the unstable key, and leaving the rest signed by the security key? Having a new file right next to the old Packages.gz file might be easier to ensure mirroring too. I'm not sure where you'd put a global, signed index? *shrug* You could have both, if you wanted, too, I guess. How would the index be particularly more useful? Cheers, aj -- Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG encrypted mail preferred. ``The thing is: trying to be too generic is EVIL. It's stupid, it results in slower code, and it results in more bugs.'' -- Linus Torvalds
Attachment:
pgp8kbIsjmbRH.pgp
Description: PGP signature