On Fri, Jun 18, 2010 at 11:51 PM, Denis A. Altoé Falqueto <[email protected]> wrote: > On Sat, Jun 19, 2010 at 1:18 AM, Denis A. Altoé Falqueto > <[email protected]> wrote: >> On Sat, Jun 19, 2010 at 12:08 AM, Allan McRae <[email protected]> wrote: >>> On 19/06/10 03:45, Denis A. Altoé Falqueto wrote: >>> The signatures are currently placed in the repo-db. So only the repo db >>> needs downloaded and not individual signatures. If an attacker deletes the >>> repo database and its signature, that is probably the least of our issues... >>> There will be many copies of a recent signed database that we can recover >>> all the signatures from. >> >> Hmm, I see. And it is a good idea, indeed. >> >> But I've tested two packages (go-openoffice, 130M, and libxfontcache, >> 8K) to see how this will affect the final size of the database. The >> size of the signatures was 543 bytes each. So the size of the package >> will not affect the size of the signatures. What could affect is the >> key used, given the hash algorithm is the same. My current key has >> 2024 bits length The table bellow resume the expected increase for >> each repository: >> >> http://pastebin.com/ppfe5dxw > > I've tested with my local cache. It currently contains 808 packages. > i've signed them all and tarred without compression and with gzip, > bzip2 and lzma to see what gives: All the signatures are the same size > (543 bytes each). > > tar: 1200 K > tar.gz: 444 K > tar.bz2 425 K > tar.xz: 428 K > > Assuming that we'll only store 1/3 of the total size of the > signatures, the new table gets: > > http://pastebin.com/BNwd1MAf > > The sizes are in KB and the final size of db is the current plus the > size of the compacted signatures. Looking at that table now, it could > be feasible, at least for the user. There'll be an increase in > bandwidth consumption too, because every time someone syncs his > databases, almost the same signatures are being served...
Honestly you're worried about a non-issue here. The size of the DBs is fine before and after, and we already serve up 98% of the same info every time someone downloads a DB; package signatures are not that different from any other field already there. -Dan
