On Mon, 25 Jan 1999, Lalo Martins wrote: > Sounds good, as long as I can shut it off :-) Also, it should > use the keyring in developers-keyring or one that comes with > apt, otherwise the point is moot (anyone who can upload a .deb > with a trojan can upload a Packages.pgp with a signature)
The only person that can upload a Packages.pgp file is the mirror maintainer. The explination is below. > > This would require: a) gnu's version of pgp to work (so that we > > don't request non-free software to get the free software) > > Here we go again. This would have the problem of requiring all > developers to switch to gpg. I definately messed up this point, the only thing that is signed is the _packages file_, not the individual packages. The only person with gpg is the mirror maintainer. Actaully, as long as gpg is compatable with pgp, that doesn't even matter and the apt user simply picks what they want to install. > > and the bad part b) someone to be at the console when > > generating packages files to type the pgp password. > > Huh? You don't need the passphrase to verify signatures. Not verify, create. The pgp signature is for the packages file, not the developers packages themselves. This just means the process of moving files from incoming to the tree needs to have a person at the console because after the file is moved and the Packages and Packages.gz file are created, the Packages file needs a pgp signature stored in Packages.pgp. A less secure version would be to have the Packages.pgp file generated automatically. Sorry about the confusion, Brandon +--- ---+ | Brandon Mitchell * [EMAIL PROTECTED] * http://bhmit1.home.ml.org/ | | The above is a completely random sequence of bits, any relation to | | an actual message is purely accidental. |