On Sat, Dec 30, 2017 at 6:57 PM, peter green wrote:

> * what keys would be used to sign these re-signed release files? You
> wouldn't want to use a regular Debian archive key because you wouldn't want
> people to be able to use snapshots to attack Debian users.

They would have to be separate keys to the Debian archive key because
that is on a HSM.

> * How secure would the re-signing infrastructure be?

I guess the signing would have to be online and on-demand, so we
probably would have one offline key with subkeys in HSMs at each
snapshot location.

> It wouldn't solve the issue of how to find that
> damn Release/Sources pair in the first place.

I would leave that part to apt plus the API:

https://anonscm.debian.org/cgit/mirror/snapshot.debian.org.git/tree/API
http://snapshot.debian.org/mr/package/iotop/
http://snapshot.debian.org/mr/package/iotop/0.6-2/srcfiles
http://snapshot.debian.org/mr/file/3671b737bad959b7c76dc1fad205951965b54f9a/info
http://snapshot.debian.org/archive/debian/20160729T163942Z/pool/main/i/iotop/iotop_0.6.orig.tar.gz.asc
deb-src http://snapshot.debian.org/archive/debian/20160729T163942Z/

> I have attatched my attempt at a tool for downloading source packages
> securely from snapshot.debian.org. It seems to work, comments/improvements
> welcome.

If you would like to add more endpoints to the API, that would
probably be a good idea to reduce the complexity of your script.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

_______________________________________________
vcs-pkg-discuss mailing list
vcs-pkg-discuss@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/vcs-pkg-discuss

Reply via email to