On Sat, Dec 30, 2017 at 6:57 PM, peter green wrote: > * what keys would be used to sign these re-signed release files? You > wouldn't want to use a regular Debian archive key because you wouldn't want > people to be able to use snapshots to attack Debian users.
They would have to be separate keys to the Debian archive key because that is on a HSM. > * How secure would the re-signing infrastructure be? I guess the signing would have to be online and on-demand, so we probably would have one offline key with subkeys in HSMs at each snapshot location. > It wouldn't solve the issue of how to find that > damn Release/Sources pair in the first place. I would leave that part to apt plus the API: https://anonscm.debian.org/cgit/mirror/snapshot.debian.org.git/tree/API http://snapshot.debian.org/mr/package/iotop/ http://snapshot.debian.org/mr/package/iotop/0.6-2/srcfiles http://snapshot.debian.org/mr/file/3671b737bad959b7c76dc1fad205951965b54f9a/info http://snapshot.debian.org/archive/debian/20160729T163942Z/pool/main/i/iotop/iotop_0.6.orig.tar.gz.asc deb-src http://snapshot.debian.org/archive/debian/20160729T163942Z/ > I have attatched my attempt at a tool for downloading source packages > securely from snapshot.debian.org. It seems to work, comments/improvements > welcome. If you would like to add more endpoints to the API, that would probably be a good idea to reduce the complexity of your script. -- bye, pabs https://wiki.debian.org/PaulWise
