Russ Allbery <[EMAIL PROTECTED]> writes: > Michael Stone <[EMAIL PROTECTED]> writes: >> On Thu, Jul 17, 2008 at 03:54:02PM -0400, Jim Popovitch wrote: > >>> But as long as Release.gpg/Timestamp.gpg are local to the mirror(s), >>> and not only on a master, the various .gpg files and packages can, even >>> though difficult, be modified on the single mirror. IMHO, verification >>> needs to have an alternate channel than the downloads. > >> If someone can modify gpg signatures we have a bigger problem that can't >> be solved by any solution proposed thus far. > > You have to make sure the Release.gpg and Timestamp.gpg files are linked > in some fashion, or the fake mirror will just update its Timestamp.gpg > file from the real mirror regularly while leaving all other files the > same.
Timestamp.gpg would be the signature for Release just like Release.gpg is. > In the debian-devel thread, the proposal was to instead resign Release.gpg > and rely on the timestamp of its signature, which I think is a cleaner and > simpler solution. That would require the signing key to be online. For stable and possibly security an offline key for manual signing is strongly preferable. MfG Goswin PS: Instead of a timestamp.gpg the Release.gpg you have 2 signatures. One fixed manual one by the release team and one daily automatic one by the automatic archive key. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]