On 16. Juni 2014 at 08:56:20, Alexander Fortin (alexander.fortin@gmail.com) wrote:
On Mon, Jun 16, 2014 at 4:40 AM, Moritz Bartl wrote:
You should never rely on short key IDs for anything. They can be forged within minutes. When you look at https://www.torproject.org/docs/debian.html.en , it fetches the key using the short key ID, but only imports a key that matches the whole fingerprint.
Ok
Done. There's a bug on the latest version of puppetlabs/apt (1.5.0) that’s currently limiting the key name to 8 or 16 digits:
https://github.com/puppetlabs/puppetlabs-apt/pull/314
so I’m currently forcing the dependency to version 1.4.2
I've also added missing LICENSE and Modulefile files (for automatic dependency resolution via librarian-puppet or similar). I’m going to add the missing RSpec files in the next days.
I found keys.gnupg.net to be unreliable sometimes, it would be good to have some fallback options.
Maybe add this fallback options to https://www.torproject.org/docs/debian.html.en too?
I also checked the latest version of the apt module but unfortunately there’s no default mechanism to fall back in case of a non responsive default GPG server. Anyway, the worst case scenario is that Puppet agent will fail because of the timeout (i.e. not installing anything until the key is fetched), so security should not be compromised.
Latest version: https://github.com/shaftoe/puppet-tor/tree/fixes
-- Alexander Fortin http://about.me/alexanderfortin