<div dir="ltr"><div><div><div><div><div><div><div><div><div><div>Jeff thanks for your explanation. I have feeling i've understood it like this way, so please confirm:<br><br></div>1. Before release and repository freeze a list of gpg keys needs to be generated from each rpm file in repository<br></div>2. This list must be uploaded to <a href="http://virtual-notary.org">virtual-notary.org</a><br></div>3. List is signed by virtual-notary<br></div>4. List is placed on repository with a public certificate from virtual-notary<br></div>5. Done<br><br></div><div>BTW: idea is very interesting :)<br><br></div>I have a couple of questions/ideas:<br></div>1. Would be nice if urpmi could verify a gpg key from a signed list taken from mirror.<br></div>2. What about /updates directory on mirror? This directory is not frozen after release, so this means new packages will be arriving there. How to handle these packages with above solution ? IMHO recreating list each rpm got published and then upload it to virtual-notary and generate new certificate is a big effort. I wonder how virtual-notary will react if we will upload couple of lists per day.<br></div>Maybe update 1 time per day ? You know, user can install update just couple a seconds just after it got published on repository.<br><br></div>3. Is there any API for <a href="http://virtual-notary.org">virtual-notary.org</a> ?<br><div><div><div><div><div><div><div><div><div><br><br></div></div></div></div></div></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-01-18 12:43 GMT+01:00 Jeff Johnson <span dir="ltr"><<a href="mailto:n3npq@mac.com" target="_blank">n3npq@mac.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
On Jan 18, 2016, at 5:56 AM, Jeff Johnson wrote:<br>
<br>
>><br>
>> I do not understand what non-repudiable means :(<br>
>><br>
><br>
> Apologies for the techno jargon (but I am reluctant to invent newer! better! bestest! terms)<br>
><br>
> A repudiation is a statement denying some claim like this:<br>
> Q: Did you modify anything in the package?<br>
> A: No.<br>
><br>
> So a non-repudiable signature is a public/global assertion that nothing whatsoever is changed.<br>
<br>
</span>Here is perhaps a better (i.e. more explicit) example of repudiation(s):<br>
<br>
Claim: My machine was rooted by installing a *Mandriva rpm package from this mirror.<br>
Repudiation #1: That package wasn't downloaded from this mirror.<br>
Repudiation #2: That is not a *Mandriva package because its not signed with a Mandriva key.<br>
Repudiation #3: That is not a package produced by rpm because (various reasons, like the<br>
package might have been altered after being built).<br>
<br>
By including a non-repudiable signature, #3 provides a stronger/transparent mechanism that a<br>
package was not altered after being built.<br>
<br>
By registering a manifest with virtual-notary, *Mandriva would be providing some means to resolve<br>
the issues associated with #1 and #2, and avoiding issues related to "official" key compromises.<br>
<br>
hth<br>
<br>
73 de Jeff<br>
<br>
</blockquote></div><br></div>