[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff
From: |
Tom Lord |
Subject: |
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff |
Date: |
Fri, 26 Dec 2003 20:01:11 -0800 (PST) |
> From: Andrew Suffield <address@hidden>
> Not instead of, but also:
> If we ever see a =3Dmeta-info/signed-archive file, record that locally
> (presumably in .arch-params); if we have a local record and the
> archive is unsigned, abort immediately. Such records would never be
> reverted except via explicit user intervention.
> That won't help users who never touched the archive before it was
> compromised, but it will both help existing users, and serve as a
> fairly effective mechanism for detection (only *one* person has to
> report the archive corruption).
> It introduces an constraint that you never convert a signed archive
> into an unsigned one - which is probably a reasonable constraint.
What I've actually done is slightly different.
To check signatures on client-side operations, you create a file in
~/.arch-params/signing. For example, to check a given ARCHIVE you
put a rule in:
~/.arch-params/ARCHIVE.check
If an archive is signed, but you have no rule, but do have:
~/.arch-params/=default.check
Now, if you have:
~/.arch-params/ARCHIVE.check
but ARCHIVE is not signed -- that's a fatal error.
-t
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, (continued)
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Robert Collins, 2003/12/26
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Andrew Suffield, 2003/12/26
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff,
Tom Lord <=
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Andrew Suffield, 2003/12/27
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, James Blackwell, 2003/12/27
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Andrew Suffield, 2003/12/27
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Robert Collins, 2003/12/27
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Tom Lord, 2003/12/26