Your message dated Thu, 07 Sep 2006 19:14:24 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Closing this bug due to lack of complaints
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: debmirror
Version: 20041209
Severity: wishlist
Checking the integrity of the mirror is nice, and trying to check the
signature on the archive is laudable. However, the latter has by default
no real security, rather, it provides a false sense of security, as the
only thing that is done is verifying the signature against the public
keyring. This way, anybody with a key in your public keyring, or anybody
at all if you auto-retrieve keys, can still tamper with the archive
without debmirror noticing.
Checking against tampering without either especially configuring which
keys to trust or providing a good way to have debmirror do this for you
brings you no real security, and therefore, I think it's best to not gpg
check by default, just make it a an option with a specific keyring, so
that if one wants to verify, that's possible at the expense of
maintaining a keyring with 'allowed' keys. You can have debmirror look
in /etc/debmirror/archive_keys.pub or $HOME/.debmirror/archive_keys.pub
for example, and use the gpg checking ability if that exists.
--Jeroen
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.7
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Versions of packages debmirror depends on:
ii bzip2 1.0.2-1 A high-quality block-sorting file
ii libcompress-zlib-perl 1.33-3 Perl module for creation and manip
ii liblockfile-simple-perl 0.2.5-4 Simple advisory file locking
ii libnet-perl 1:1.19-1 Implementation of Internet protoco
ii libwww-perl 5.800-2 WWW client/server library for Perl
ii perl [libdigest-md5-perl] 5.8.4-5 Larry Wall's Practical Extraction
ii perl-modules [libnet-perl] 5.8.4-5 Core Perl modules
ii rsync 2.6.3-2 fast remote file copy program (lik
-- no debconf information
--
Jeroen van Wolffelaar
[EMAIL PROTECTED]
http://jeroen.A-Eskwadraat.nl
--- End Message ---
--- Begin Message ---
Hi,
some time ago you raised an objection to debmirror always running gpg
to verify the archive. Since I still believe it is the right[tm] thing
to do and there have been no other users complaining about the issue I
am now closing this bug.
As stated there are ways to make the gpg check secure which I believe
was your main objective (a false sense of security) so hopefully I'm
not just ignoring your opinion.
MfG
Goswin
--- End Message ---
