On Tuesday 07 December 2004 04:25 am, Michael Vogt wrote: > > I'm poking around at the new security stuff in apt 0.6, and I have > > a quick question: What exactly is the purpose of the IndexFile > > class, and how does it behave? > > The metaIndex will always try to download a Release.gpg along with the > Release file. That is passed to the to the gpgv method to verify the > signature of the Release file (against the trusted keys in > /etc/apt/trusted.gpg). If that is successful the source is > "trusted". If not, the Release.gpg file is removed from the apt lists > directory and the source is not trusted. Okay. So IndexFile objects correspond to Release files. > > For instance, pkgAcqArchive::IsTrusted appears to assume that some > > index file will always be available for a given Version. Is that > > true? I mention this method because if no index file is found, it > > returns "true", so a complete lack of index files -- meaning nothing > > to check for trustedness -- results in the routine reporting that > > the item is trusted. If it was possible that no index files would > > be available, I would expect this to return "false", unless I > > completely misunderstand what's going on. > > The latest version does no longer contains that lines. It now starts > with Trusted=false and if it finds a trusted source, it will switch to > "package is trusted" mode. That means it will only download it from a > trusted source (for cases like when the package is available from > various sources). Oh, I see. By the way, would it be possible for IsTrusted to (also) be a method on VerIterators? It looks to me like there's nothing that prevents this, and it would be nice to not have to either generate AcquireItems or reimplement it. At the moment I'm reimplementing it. And, to answer another question I was asking in case anyone is searching the archives, I discovered that the installed version of a package never has a corresponding IndexFile object. So it's expected that some trusted packages have VersionFiles without an IndexFile. > The code is available in Matt's arch archive [1] at > http://people.debian.org/~mdz/arch. You need tla or baz > (http://bazaar.canonical.com/). The archive name is > apt@packages.debian.org/apt--authentication--0. I tried to use arch once and my head exploded :). Not again until I really, really, really need an industrial-strength version control system...or, I guess, until I need to access the apt development sources :P Daniel -- /------------------- Daniel Burrows <dburrows@debian.org> ------------------\ | "But what the eagle does not realize is that it is | | participating in a crude form of natural selection. | | One day, a tortoise will learn to fly." | | -- Terry Pratchett, _Small Gods_ | \--- Be like the kid in the movie! Play chess! -- http://www.uschess.org --/
Attachment:
pgpMiS0VGwyMi.pgp
Description: PGP signature