[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff
From: |
Tom Lord |
Subject: |
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff |
Date: |
Fri, 26 Dec 2003 13:33:59 -0800 (PST) |
> From: James Blackwell <address@hidden>
> [various things] are certainly worthy of discussion and strikes
> me as useful. However, that is a different itch than the one I
> scratched with gpgcheck. gpgcheck is intended as a 'we promised
> the FSF the ability to gpg signed archives by New Years, and we
> need somebody to hack something together so that they can verify
> those signed archives'.
And I appreciate and thank you for that. You are absolutely right
about what the priorities are and should not feel that I'm asking you
to hurry up and generalize it.
In the longer term:
> > Checksum files are _not_ useless without signing. They have at least
two
> > uses:
> Are you within context? This is within the context of gpgcheck.
> gpgcheck is a script to use gpg signatures within an archive to
> verify the integrity of said archive.
I haven't looked at the script yet but it should be doing several
different things:
a) it should make sure that the (up to) 2 checksum files are for the
same revision as is actually stored in this directory
b) it should make sure that every file named in the 2 checksum files
occurs in the directory
c) it should make sure that no file other than .listing which is not
named in the two checksum files occurs in the directory
d) it should make sure that all of the files match their md5 sums
e) it should check the accuracy of other .listing files in the
directory
f) it should make sure that the signatures on the checksum files are
valid
Ideally it should also:
g) Record ("elsewhere") a complete list of the contents of the
archive. If a previously recorded list is provided as input,
make sure that nothing has been deleted.
Of the items in that list, everything other than (f) is useful for
checking for media failures -- so I do think that such checks are an
appropriate function for the script (i.e., checking unsigned
archives).
Later on, it might be worth generalizing the script to accept an
additional (possibly signed) input of md5-sums and compare those to
the ones actually in the archive.
> > 1) They can be used to detect media failures.
> othoganal to gpgcheck. That gpgcheck picks up failed md5sums is
> a free side effect of looking for local archive tampering.
It may be "free" in some sense but 90% of what gpgcheck should be
doing is exactly what you'd want a media-failure check to do.
-t
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, (continued)
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Johannes Berg, 2003/12/26
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Robert Collins, 2003/12/26
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Andrew Suffield, 2003/12/26
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Tom Lord, 2003/12/26
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Andrew Suffield, 2003/12/27
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, James Blackwell, 2003/12/27
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Andrew Suffield, 2003/12/27
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Robert Collins, 2003/12/27
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Tom Lord, 2003/12/26