Re: [Tails-dev] [RFC] Dropping requirement for OpenPGP commu…

Supprimer ce message

Répondre à ce message
Auteur: intrigeri
Date:  
À: The Tails public development discussion list
Sujet: Re: [Tails-dev] [RFC] Dropping requirement for OpenPGP communication with HTTP mirror operators?
hey,

sajolida wrote (14 Mar 2016 15:21:21 GMT) :
> intrigeri:
>> sajolida wrote (11 Mar 2016 16:40:08 GMT) :
>> ⇒ If anyone feels like we should really do that, then at this point
>> they'd better be ready to contribute some time to help with it (in
>> practice our mirrors team went from 2 active members to 1 in the last
>> 6-12 months or so). But given we've not had these nice security
>> properties for months, and our world didn't end anyway, maybe it's no
>> big deal and we can just forget about it?


> Sure.


I'll wait a bit more, to let a chance to people who think differently
(those who have already expressed it, as well as those who haven't
yet) to digest the updates we provided, and check how they feel now.

>>> Also, this can be dealt with without OpenPGP signature: we can ask
>>> operators to put a token file with some random number on their server
>>> when requesting to be removed (as we've done some times I think).
>>
>> For this to work, they need to drop --delete from their rsync cronjob,
>> or we have to be able to check the token file within 1 hour (don't
>> count on it), or we need to adjust all rsync cronjobs to ignore a new
>> directory where such token files would live. Nothing impossible, but
>> in this area, frankly I'm personally not going to do more than
>> reviewing good patches.


> Sure, I didn't think about this and that would be a pain. But I proposed
> this because I remember you using similar tricks in the past already,
> no?


I think so too, but I don't remember the details, except that
sometimes the timing was tricky.

> Could we ask people to drop a token file anywhere on they server
> outside of the reach of rsync --delete?


Yes, this can work if they (can) host other stuff than ours on
their webserver.

Cheers,
--
intrigeri