Re: [arch-releng] February release
Sven-Hendrik Haase <sh@lutzhaase.com> on Thu, 2013/01/31 13:34:
On 31.01.2013 13:33, Christian Hesse wrote:
Sven-Hendrik Haase <sh@lutzhaase.com> on Thu, 2013/01/31 13:19:
On 31.01.2013 13:02, Christian Hesse wrote:
Pierre Schmitz <pierre@archlinux.de> on Wed, 2013/01/30 19:12:
I am going to build a new ISO image on Friday. I did a test build today and everything looks fine. It's just updated packages; no changes to ais nor archiso. Let me know if there are any known issues or blockers. This is not about the ISO itself but its download...
Torrent download files can contain more than just one file. How about including gpg signature for the ISO file? Possibly this increases the number of people actually checking the authenticity of downloaded files. Frankly, why? The torrent already guarantees you didn't get bad data. Sure. But the gpg signature is not (only) about integrity but authenticity.
If you get a bad (not broken) torrent file you could download a bad ISO image without noticing anybody is fooling you.
Oh so you want to gpg the torrent file itself? Well, that could work, I guess.
No, I do not want to sign the torrent file. I want the ISO image and a gpg signature for that inside the torrent file. Even if anybody fools you, signs his own ISO with his own key and puts these into a torrent file you can easily verify after download: $ pacman-key -v archlinux-2013.01.04-dual.iso.sig ==> Checking archlinux-2013.01.04-dual.iso.sig ... gpg: Signature made Thu 31 Jan 2013 01:56:51 PM CET using DSA key ID 2409C107 gpg: Can't check signature: No public key ==> ERROR: The signature identified by archlinux-2013.01.04-dual.iso.sig could not be verified. Output should look like this though, note this only happens if the key is in pacman's keyring and trusted with the required level: $ pacman-key -v archlinux-2013.01.04-dual.iso.sig ==> Checking archlinux-2013.01.04-dual.iso.sig ... gpg: Signature made Fri 04 Jan 2013 11:07:27 PM CET using RSA key ID 9741E8AC gpg: NOTE: trustdb not writable gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>" -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Chris get my mail address: */=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}
On Thu, Jan 31, 2013 at 7:03 AM, Christian Hesse <list@eworm.de> wrote:
Sven-Hendrik Haase <sh@lutzhaase.com> on Thu, 2013/01/31 13:34:
On 31.01.2013 13:33, Christian Hesse wrote:
Sven-Hendrik Haase <sh@lutzhaase.com> on Thu, 2013/01/31 13:19:
On 31.01.2013 13:02, Christian Hesse wrote:
Pierre Schmitz <pierre@archlinux.de> on Wed, 2013/01/30 19:12:
I am going to build a new ISO image on Friday. I did a test build today and everything looks fine. It's just updated packages; no changes to ais nor archiso. Let me know if there are any known issues or blockers. This is not about the ISO itself but its download...
Torrent download files can contain more than just one file. How about including gpg signature for the ISO file? Possibly this increases the number of people actually checking the authenticity of downloaded files. Frankly, why? The torrent already guarantees you didn't get bad data. Sure. But the gpg signature is not (only) about integrity but authenticity.
If you get a bad (not broken) torrent file you could download a bad ISO image without noticing anybody is fooling you.
Oh so you want to gpg the torrent file itself? Well, that could work, I guess.
No, I do not want to sign the torrent file. I want the ISO image and a gpg signature for that inside the torrent file. Even if anybody fools you, signs his own ISO with his own key and puts these into a torrent file you can easily verify after download:
$ pacman-key -v archlinux-2013.01.04-dual.iso.sig ==> Checking archlinux-2013.01.04-dual.iso.sig ... gpg: Signature made Thu 31 Jan 2013 01:56:51 PM CET using DSA key ID 2409C107 gpg: Can't check signature: No public key ==> ERROR: The signature identified by archlinux-2013.01.04-dual.iso.sig could not be verified.
Output should look like this though, note this only happens if the key is in pacman's keyring and trusted with the required level:
$ pacman-key -v archlinux-2013.01.04-dual.iso.sig ==> Checking archlinux-2013.01.04-dual.iso.sig ... gpg: Signature made Fri 04 Jan 2013 11:07:27 PM CET using RSA key ID 9741E8AC gpg: NOTE: trustdb not writable gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>" -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Chris get my mail address: */=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}
For the paranoid, we do sign the ISO file itself and the PGP signature has always been available from our https://www.archlinux.org/download/ page. I don't see any reason to include it in the torrent. If you got a bad torrent file, I'm not sure where you got it from- we serve both the download page with magnet link over HTTPS and also the torrent file itself. -Dan
participants (2)
-
Christian Hesse
-
Dan McGee