Russ Allbery <[EMAIL PROTECTED]> writes:
> Michael Stone <[EMAIL PROTECTED]> writes:
>> On Thu, Jul 17, 2008 at 03:54:02PM -0400, Jim Popovitch wrote:
>
>>> But as long as Release.gpg/Timestamp.gpg are local to the mirror(s),
>>> and not only on a master, the various .gpg files and packages can, even
>>> though difficult, be modified on the single mirror. IMHO, verification
>>> needs to have an alternate channel than the downloads.
>
>> If someone can modify gpg signatures we have a bigger problem that can't
>> be solved by any solution proposed thus far.
>
> You have to make sure the Release.gpg and Timestamp.gpg files are linked
> in some fashion, or the fake mirror will just update its Timestamp.gpg
> file from the real mirror regularly while leaving all other files the
> same.
Timestamp.gpg would be the signature for Release just like Release.gpg
is.
> In the debian-devel thread, the proposal was to instead resign Release.gpg
> and rely on the timestamp of its signature, which I think is a cleaner and
> simpler solution.
That would require the signing key to be online. For stable and
possibly security an offline key for manual signing is strongly
preferable.
MfG
Goswin
PS: Instead of a timestamp.gpg the Release.gpg you have 2
signatures. One fixed manual one by the release team and one daily
automatic one by the automatic archive key.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
