Re: Signing Packages.gz
On Sat, 1 Apr 2000, Anthony Towns wrote:
> Why would verifying a new security-key necessarily be significantly harder
> than verifying a new unstable-key, though? In both cases you only really
> want to check that its signed by the previous security-key.
But in the other case it replaces/augements the security key, having an
automatic means for that seems like a bad idea.
> A global index wouldn't be entirely appropriate for partial mirrors. *shrug*
The file would be small, people can mirror it too. Partial mirrors are
going to need more and more special care in the future that I don't think
this is a concern.
> How would you go about signing half of a global index with the unstable
> key, and leaving the rest signed by the security key?
Two indexes each signed by their respective keys, and the two keys.
> Having a new file right next to the old Packages.gz file might be
> easier to ensure mirroring too. I'm not sure where you'd put a global,
> signed index? *shrug*
debian/indices with the rest of that stuff.
> You could have both, if you wanted, too, I guess. How would the index
> be particularly more useful?
I've always wanted an index :> It is simpler to work with and faster
overall (two gpg checks vs ~36, gpg is very very slow). It also would have
file sizes, I like file sizes :>