Re: Signing Packages.gz

To: Anthony Towns <aj@azure.humbug.org.au>
Cc: debian-devel@lists.debian.org
Subject: Re: Signing Packages.gz
From: Jason Gunthorpe <jgg@ualberta.ca>
Date: Fri, 31 Mar 2000 22:04:15 -0700 (MST)
Message-id: <[🔎] Pine.LNX.3.96.1000331215315.27820E-100000@wakko.deltatee.com>
In-reply-to: <[🔎] 20000401144555.F25544@azure.humbug.org.au>

On Sat, 1 Apr 2000, Anthony Towns wrote:

> Why would verifying a new security-key necessarily be significantly harder
> than verifying a new unstable-key, though? In both cases you only really
> want to check that its signed by the previous security-key.

But in the other case it replaces/augements the security key, having an
automatic means for that seems like a bad idea.

> A global index wouldn't be entirely appropriate for partial mirrors. *shrug*

The file would be small, people can mirror it too. Partial mirrors are
going to need more and more special care in the future that I don't think
this is a concern.

> How would you go about signing half of a global index with the unstable
> key, and leaving the rest signed by the security key?

Two indexes each signed by their respective keys, and the two keys.

> Having a new file right next to the old Packages.gz file might be
> easier to ensure mirroring too. I'm not sure where you'd put a global,
> signed index? *shrug*

debian/indices with the rest of that stuff.

> You could have both, if you wanted, too, I guess. How would the index
> be particularly more useful?

I've always wanted an index :> It is simpler to work with and faster
overall (two gpg checks vs ~36, gpg is very very slow). It also would have
file sizes, I like file sizes :>

Jason

Reply to:

References:
- Re: Signing Packages.gz
  - From: Anthony Towns <aj@azure.humbug.org.au>

Prev by Date: Re: Signing Packages.gz
Next by Date: Re: Ian Jackson, please get me the hell off your blacklist.
Previous by thread: Re: Signing Packages.gz
Next by thread: Re: Signing Packages.gz
Index(es):
- Date
- Thread