Re: apt and multiple connections

To: Seth Cohn <scohn@clipper.net>
Cc: "Thomas Bushnell, BSG" <tb@becket.net>, debian-devel@lists.debian.org
Subject: Re: apt and multiple connections
From: Greg Stark <gsstark@mit.edu>
Date: 24 Sep 2000 11:48:34 -0400
Message-id: <[🔎] 87zokxssdp.fsf@HSE-MTL-ppp62067.qc.sympatico.ca>
In-reply-to: Seth Cohn's message of "Sun, 24 Sep 2000 00:44:14 -0700 (PDT)"
References: <[🔎] Pine.LNX.4.21.0009240019080.1509-100000@scohn.clipper.net>

Seth Cohn <scohn@clipper.net> writes:

> On 24 Sep 2000, Thomas Bushnell, BSG wrote:
> 
> > > Because when you get the file from a multiple places, you add the
> > > requirement of checking the file for consistancy and errors.  A crc or
> > > md5sum check is needed, both before the transfer (is it the _SAME_ file,
> > > or just one the same size and date?) and after (did we put it back
> > > together correctly?)
> > 
> > People should be doing this *anyway* as part of the signature checking
> > that should be standard in Debian.
> 
> 'Should' and 'is' are 2 different things.  Since the keyring isn't a
> required package, neither is the signature checking.  You'd have to make
> the keyring required as well as gpg... 

That's not really true actually. We could include a whole key chain the way
x509 does. Actually all we really need is a debian automated keysigner key in
the distribution, and include the developers signature, and the keysigner's
signature on that key in the package.

Over the long term this is more bandwidth than just distributing the keyring,
but only if you only distribute the keyring once. Since the keyring changes
this avoids people having to keep it up to date. It also means you can verify
the package and signature on a non-debian system given only a single key.

It's not a great key architecture since the keysigner key is a single point of
failure, but we could improve it over time. We could make new keysigner keys
for each revision, each signed by the previous. And we could include a more
advanced mode that evaluated the strength of the trust relationship based on
the path back to the users own key.

> As it applies to the getting a file from multiple locations at once:
> Even if you want to assume that a given filename with a given size and
> date is the exact same file, you still have to verify at least the
> signature on the end result file.  That would be a minimum...  
> Functionally, that would be more useful than just a simple crc or md5sum.

Ideally you want a CRC check on the mirror itself so you can check before you
download. Then you verify the md5sum and signature on the package after
downloading.

-- 
greg

Reply to:

References:
- Re: apt and multiple connections
  - From: Seth Cohn <scohn@clipper.net>

Prev by Date: Bug#72140: Setting up libraries too slow
Next by Date: Re: Posts to the mailing list - Broken reference headers
Previous by thread: Re: apt and multiple connections
Next by thread: Re: apt and multiple connections
Index(es):
- Date
- Thread