Thijs Kinkhorst wrote: > I've removed some CC's. > > On Mon, January 19, 2009 12:47, Eugene V. Lyubimkin wrote: >> 1) insert apt-transport-https and all its deps into base system (libcurl, >> kerberos etc.) > > I'm not sure if we need kerberos for this to work. Just like apt uses a > small version of gnupg to verify signatures, we can use a small version of > the https transport that satisfies our needs? apt-transport-https really depends only on curl, but curl itself has significant amount of dependencies, so maybe, it depends how the curl binary package could be split. > >> 2) Release and Release.gpg, installed on >> security.debian.org, should be somehow synchronized with at least all >> official Debian mirrors, I don't know how hard it would be to insert this >> move into archive infrastructure (ftp masters CC'ed) >> 3) needs some hardcoded black magic in APT - if user has an entry > > I think it's essential to note that the scheme is in principle only > required for the security mirrors, because the attack scenario is based on > withholding security updates. As we fully control the security mirrors, I > think we need not consider mirrors to solve the problem adequately, and > have a reliable way to know which sources.list entry it applies to. Ah, agreed, makes sense too. -- Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com Ukrainian C++ Developer, Debian Maintainer, APT contributor
Attachment:
signature.asc
Description: OpenPGP digital signature