On Fri, Jun 18, 2010 at 11:51 PM, Denis A. Altoé Falqueto <denisfalqueto@gmail.com> wrote:
On Sat, Jun 19, 2010 at 1:18 AM, Denis A. Altoé Falqueto <denisfalqueto@gmail.com> wrote:
On Sat, Jun 19, 2010 at 12:08 AM, Allan McRae <allan@archlinux.org> wrote:
On 19/06/10 03:45, Denis A. Altoé Falqueto wrote: The signatures are currently placed in the repo-db. So only the repo db needs downloaded and not individual signatures. If an attacker deletes the repo database and its signature, that is probably the least of our issues... There will be many copies of a recent signed database that we can recover all the signatures from.
Hmm, I see. And it is a good idea, indeed.
But I've tested two packages (go-openoffice, 130M, and libxfontcache, 8K) to see how this will affect the final size of the database. The size of the signatures was 543 bytes each. So the size of the package will not affect the size of the signatures. What could affect is the key used, given the hash algorithm is the same. My current key has 2024 bits length The table bellow resume the expected increase for each repository:
I've tested with my local cache. It currently contains 808 packages. i've signed them all and tarred without compression and with gzip, bzip2 and lzma to see what gives: All the signatures are the same size (543 bytes each).
tar: 1200 K tar.gz: 444 K tar.bz2 425 K tar.xz: 428 K
Assuming that we'll only store 1/3 of the total size of the signatures, the new table gets:
The sizes are in KB and the final size of db is the current plus the size of the compacted signatures. Looking at that table now, it could be feasible, at least for the user. There'll be an increase in bandwidth consumption too, because every time someone syncs his databases, almost the same signatures are being served...
Honestly you're worried about a non-issue here. The size of the DBs is fine before and after, and we already serve up 98% of the same info every time someone downloads a DB; package signatures are not that different from any other field already there. -Dan