[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff
|
From: |
Andrew Suffield |
|
Subject: |
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff |
|
Date: |
Sat, 27 Dec 2003 03:27:18 +0000 |
|
User-agent: |
Mutt/1.5.4i |
On Sat, Dec 27, 2003 at 09:58:09AM +1100, Robert Collins wrote:
> On Sat, 2003-12-27 at 06:55, Tom Lord wrote:
>
> >
> > At any rate, it should only be an error if the archive is a signed
> > archive. Otherwise it should be at most a single warning that the
> > archive is unsigned.
>
> I think that that should be configurable in the long term - i.e.
> in the short term.
>
> Otherwise, our conceptual attacker can simply remove
> \=meta-info/signed-archive, and turn a hard failure into a warning.
Not instead of, but also:
If we ever see a =meta-info/signed-archive file, record that locally
(presumably in .arch-params); if we have a local record and the
archive is unsigned, abort immediately. Such records would never be
reverted except via explicit user intervention.
That won't help users who never touched the archive before it was
compromised, but it will both help existing users, and serve as a
fairly effective mechanism for detection (only *one* person has to
report the archive corruption).
It introduces an constraint that you never convert a signed archive
into an unsigned one - which is probably a reasonable constraint.
--
.''`. ** Debian GNU/Linux ** | Andrew Suffield
: :' : http://www.debian.org/ |
`. `' |
`- -><- |
signature.asc
Description: Digital signature
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Tom Lord, 2003/12/26