On Sun, Dec 15, 2013 at 11:15 AM, adrelanos wrote: > I can try that. Should that become a separate package or part of, well > apt-get? It would probably just be three files, a config file, an > /etc/apt/apt.conf.d/ config fragment and a bash script.
I'm guessing the apt package would be the place to put it. My initial thought would be that the implementation when run from the apt hook would go through all the trusted keyrings and fetch the keys from each of them from the default keyservers in GPG. /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/*.gpg That would probably be fine for most Debian users but at that point I remembered that the Riseup OpenGPG best practices document has something to say about keyring refreshes; that keyring refreshes should happen using parcimonie to make correlation attacks harder. This would especially be a problem for folks with multiple PPAs in their apt trusted keys. https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#make-sure-you-are-receiving-regular-key-updates That complicates things but would probably still be doable, thoughts: Add a system daemon for parcimonie that refreshes the apt keyring when tor & network is available. Add an apt hook that refreshes trusted.gpg keyrings in /etc have not been touched recently (so it works when parcimonie or another refresh mechanism is not being run) and also checks all keyrings for revoked keys and reports them to the user. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6He6Qhg5P4ucV9x+qo=u==Hc=0btu4mpy-xle+z4by...@mail.gmail.com
