[pacman-dev] GPG remote signing
Rémy Oudompheng
remyoudompheng at gmail.com
Sun Jun 12 05:19:24 EDT 2011
On 2011/6/12 Kerrick Staley <mail at kerrickstaley.com> wrote:
> On Fri, Jun 10, 2011 at 5:45 PM, Dan McGee <dpmcgee at gmail.com> wrote:
>> I've done a fair amount of research on what we might be able to do
>> with this during the afternoon here. Some observations below. This is
>> mainly addressing point four in Thomas' prior email
>> (http://mailman.archlinux.org/mailman/private/arch-dev/2011-May/014193.html).
> Could you please explain what the situation is? I do not have access
> to the arch-dev archives. In particular, what do you mean by "location
> A" and "location B"?
>
> You want developers to be able to sign databases without copying them
> to their local machines, correct? I vote for (4), then. (1) provides
> complete security against an attacker with access to the main server,
> but it may be hassling. (2), (3), and (4) ultimately don't provide any
> security against an attacker with access to the main server (at least
> until the attack is discovered), but with (2) and (3) keys will need
> to be revoked after an attack (the developer's and the server's,
> respectively), whereas with (4) nothing will have to be done (except
> secure the server). Also, an attack against (4) would probably be
> harder to mount for the attacker and easier to notice for the
> developers.
I personally vote for signing the hash, but not for having two sorts
of signatures. Isn't there any way to split GnuPG's code into the
hashing part and the encryption part?
Rémy.
More information about the pacman-dev
mailing list