On Sun, Apr 02, 2017 at 11:29:22AM +0800, Paul Wise wrote: > On Sun, Apr 2, 2017 at 7:06 AM, gregor herrmann wrote: > > > % crontab -l | grep debian-keyring > > 30 17 * * * /usr/bin/rsync -rlptDq > > "keyring.debian.org::keyrings/keyrings/*.gpg" > > /home/gregoa/.gnupg/debian-keyring > > The rsync protocol is unencrypted, I'd suggest switching this to SSH > (one colon instead of two). You could also use rsync over TLS on port > 1873 (uses the same cert as via http). I couldn't easily work out how > to do it with stunnel but the following works with socat. I thought > there was also a way to verify the keyring when it was at rest but > can't find where I saw that.
If you do an rsync of keyring.debian.org::keyrings (no second keyrings/)
you get a sha512sums.txt file as well which will be signed by one of
keyring-maint.
J.
--
Give me liberty or I will cut | .''`. Debian GNU/Linux Developer
you. | : :' : Happy to accept PGP signed
| `. `' or encrypted mail - RSA
| `- key on the keyservers.
signature.asc
Description: Digital signature
