Securely retrieving dscs from snapshot.debian.org
Paul Wise
pabs at debian.org
Sun Dec 31 03:18:18 UTC 2017
On Sat, Dec 30, 2017 at 6:57 PM, peter green wrote:
> * what keys would be used to sign these re-signed release files? You
> wouldn't want to use a regular Debian archive key because you wouldn't want
> people to be able to use snapshots to attack Debian users.
They would have to be separate keys to the Debian archive key because
that is on a HSM.
> * How secure would the re-signing infrastructure be?
I guess the signing would have to be online and on-demand, so we
probably would have one offline key with subkeys in HSMs at each
snapshot location.
> It wouldn't solve the issue of how to find that
> damn Release/Sources pair in the first place.
I would leave that part to apt plus the API:
https://anonscm.debian.org/cgit/mirror/snapshot.debian.org.git/tree/API
http://snapshot.debian.org/mr/package/iotop/
http://snapshot.debian.org/mr/package/iotop/0.6-2/srcfiles
http://snapshot.debian.org/mr/file/3671b737bad959b7c76dc1fad205951965b54f9a/info
http://snapshot.debian.org/archive/debian/20160729T163942Z/pool/main/i/iotop/iotop_0.6.orig.tar.gz.asc
deb-src http://snapshot.debian.org/archive/debian/20160729T163942Z/
> I have attatched my attempt at a tool for downloading source packages
> securely from snapshot.debian.org. It seems to work, comments/improvements
> welcome.
If you would like to add more endpoints to the API, that would
probably be a good idea to reduce the complexity of your script.
--
bye,
pabs
https://wiki.debian.org/PaulWise
More information about the vcs-pkg-discuss
mailing list