Jeroen van Wolffelaar <[EMAIL PROTECTED]> writes:
> Package: debmirror
> Version: 20041209
> Severity: wishlist
>
> Checking the integrity of the mirror is nice, and trying to check the
> signature on the archive is laudable. However, the latter has by default
> no real security, rather, it provides a false sense of security, as the
> only thing that is done is verifying the signature against the public
> keyring. This way, anybody with a key in your public keyring, or anybody
> at all if you auto-retrieve keys, can still tamper with the archive
> without debmirror noticing.
Many people I talked to did create a debmirror user that runs
debmirror. That user would only have the right key in its keyring and
no auto-retrieve. For those it brings a real security gain.
Joey Hess raised the issue that the gpg check breaks existing
debmirror configs and that it shouldn't be default because of that or
should be documented in a NEWS file.
Would it suffice for you if I document the new option in the NEWS file
and provide documentation on how to setup a debmirror user or a
seperate debmirror keyring with the syntax below?
> Checking against tampering without either especially configuring which
> keys to trust or providing a good way to have debmirror do this for you
> brings you no real security, and therefore, I think it's best to not gpg
> check by default, just make it a an option with a specific keyring, so
> that if one wants to verify, that's possible at the expense of
> maintaining a keyring with 'allowed' keys. You can have debmirror look
> in /etc/debmirror/archive_keys.pub or $HOME/.debmirror/archive_keys.pub
> for example, and use the gpg checking ability if that exists.
That would be
/etc/debmirror/pubring.gpg
and
GNUPGHOME=/etc/debmirror debmirror ....
with the current syntax.
> --Jeroen
MfG
Goswin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
