[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Signing Packages.gz

On Sat, 1 Apr 2000, Anthony Towns wrote:

> Why would verifying a new security-key necessarily be significantly harder
> than verifying a new unstable-key, though? In both cases you only really
> want to check that its signed by the previous security-key.

But in the other case it replaces/augements the security key, having an
automatic means for that seems like a bad idea.

> A global index wouldn't be entirely appropriate for partial mirrors. *shrug*

The file would be small, people can mirror it too. Partial mirrors are
going to need more and more special care in the future that I don't think
this is a concern.

> How would you go about signing half of a global index with the unstable
> key, and leaving the rest signed by the security key?

Two indexes each signed by their respective keys, and the two keys.
> Having a new file right next to the old Packages.gz file might be
> easier to ensure mirroring too. I'm not sure where you'd put a global,
> signed index? *shrug*

debian/indices with the rest of that stuff.
> You could have both, if you wanted, too, I guess. How would the index
> be particularly more useful?

I've always wanted an index :> It is simpler to work with and faster
overall (two gpg checks vs ~36, gpg is very very slow). It also would have
file sizes, I like file sizes :>


Reply to: