[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Debian relay Puppet module



On 16. Juni 2014 at 08:56:20, Alexander Fortin (alexander.fortin@xxxxxxxxx) wrote:
> On Mon, Jun 16, 2014 at 4:40 AM, Moritz Bartl wrote:
> > You should never rely on short key IDs for anything. They can be forged
> > within minutes. When you look at
> > https://www.torproject.org/docs/debian.html.en , it fetches the key
> > using the short key ID, but only imports a key that matches the whole
> > fingerprint.
>  
> Ok

Done. There's a bug on the latest version of puppetlabs/apt (1.5.0) thatâs currently limiting the key name to 8 or 16 digits:

https://github.com/puppetlabs/puppetlabs-apt/pull/314

so Iâm currently forcing the dependency to version 1.4.2

I've also added missing LICENSE and Modulefile files (for automatic dependency resolution via librarian-puppet or similar).
Iâm going to add the missing RSpec files in the next days.

> > I found keys.gnupg.net to be unreliable sometimes, it would be good to
> > have some fallback options.
>  
> Maybe add this fallback options to
> https://www.torproject.org/docs/debian.html.en too?

I also checked the latest version of the apt module but unfortunately thereâs no default mechanism to fall back in case of a non responsive default GPG server. Anyway, the worst case scenario is that Puppet agent will fail because of the timeout (i.e. not installing anything until the key is fetched), so security should not be compromised.

Latest version:Âhttps://github.com/shaftoe/puppet-tor/tree/fixes

--  
Alexander Fortin
http://about.me/alexanderfortin
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays