[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig support wanted?

On Thu, Nov 24, 2005 at 03:48:15PM +1000, Anthony Towns wrote:
> On Thu, Nov 24, 2005 at 02:31:22PM +1100, Matthew Palmer wrote:
> > I think the final judgment in this issue is going to come down to personal
> > taste and needs more than anything else.
> That's fine for personal repositories, it's not sufficient for Debian's
> archive.

Well, I think that personal taste is sufficient for Debian's archive, and it
seems obvious that Those In The Know have decided that they prefer one taste
over another.  <grin>

> > > > At the very least, though, I can't find a hole which makes binary package
> > > > signatures, done properly, any less secure than per-archive signing.
> > > That's easy: you trust the Packages file to be correct when using apt,
> > > and it's not verified at all by per-package signatures.
> > That's a good point.  However, what damage can be done with a bodgy Packages
> > file, if only well-signed .debs are actually accepted for installation on
> > the system?  
> Add a "Depends: some-random-package" that you know has a security hole
> to dpkg's entry in the Packages and it'll be automatically installed by
> apt.

You're a lot more devious than I am, AJ, as I'd never considered these

> > > Hrm, I see queue/done (which contains .changes files going back to the
> > > dark ages) isn't even being mirrored to merkel properly at the moment.
> > > That's not so constructive.
> > Is there a publically accessable form of queue/done somewhere that people
> > can download the .changes files from?  
> No, there isn't anything, apparently the mirroring to merkel got disabled
> due to the inode usage / rsync time. There's some 700k odd changes
> files.

Ouch.  rsync must be *loving* those.

- Matt

Attachment: signature.asc
Description: Digital signature

Reply to: