[2012-09-15 23:24:57 +0200] Florian Pritz:
Did we abandon the idea of having packagers download the old DB, check its signature, do changes to it, sign the new DB, and upload it back? Because I would certainly find this much safer and trustworthy than having a black-box server blindly signs anything it is given.
Limiting the shell creates a trusted server which makes signing the databases way more secure because even if we use remote signing the hash is calculated on the server.
Do we really need remote signing for the DB, given that each of us already downloads the DB when upgrading, most likely several times a day? I do not think downloading it a couple more times when pushing packages will change much. Then I see no need to trust the server: I download the current DB and its signature, check it (it's by Florian P, and of course I trust him), apply my changes, sign and upload back. -- Gaetan