On Sun, 20 Sep 2009 18:28:30 -0300, Henrique de Moraes Holschuh <h...@debian.org> wrote: >On Sun, 20 Sep 2009, Marc Haber wrote: >> As long as you do not expect me to manually sign every single upload, > >Why not?
Because nobody pays me to spend an hour a day to sign packages. We had three full cycles since I went to bed seven hours ago. > It is a package, it has root access anywhere it is being installed >or removed. And people know that the package is built automatically. All users I know especially opted in to using the package instead of freshclam for some-or-other reason. >As you said, you'd have >to jump through a lot of loops to do special validation of that specific >package before installing it. ... which can be fully automated. >If it would still address whatever problem space clamav-data wants to fix, >maybe it would be easier if you created a package-generator package (that >creates a fresh clamav-data package for the user when, e.g. a >create-clamav-data command is run). See clamav-getfiles. The script which build the package is - of course - packaged. I guess that you didn't even look at whet you're trying to kill. > If someone has network access to fetch >clamav-data, he also has network access to fetch the signatures, so he could >run the "create-clamav-data" utility instead... This assumption is wrong. >> It would be massively easier if I knew what are the real issues > >What jumps immediately to mind is that someone could get a hold of that key, >and upload a trojan or bomb that will run as root on anyone that installs >(or removes, whatever) the package. Not if the key would be limited to clamav-data only and if the archive would verify whether the new package only differs to some "golden" package in the actual signatures. >> That being said, it looks like volatile's policies are going to change >> BIG TIME when it gets integrated into the main archive, and frankly, >> as a volatile user, I'd rather see volatile stay separate than seeing >> some of its previous principles dumped. > >Do you have a very secure setup involving two boxes, one of which is fully >offline and talks to the first one using a safe, restricted, application >layer link to get the clamav data, and upload the finished package back to >the first box? No. The process runs on a virtual machine on a host privately owned and operated by the previous ftpmaster of Debian volatile, and was carefully designed in close cooperation with the former Debian volatile team. It is a real shame that the new Debian volatile team decided to put up more hoops to jump through after clamav-data was one of the first packages to be included with Debian volatile. Oh well, some more motivation to work on Debian going down the drain. Well done. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org