[tor-relays] Debian relay Puppet module
Alexander Fortin
alexander.fortin at gmail.com
Tue Jun 17 09:47:28 UTC 2014
On 16. Juni 2014 at 08:56:20, Alexander Fortin (alexander.fortin at gmail.com) wrote:
> On Mon, Jun 16, 2014 at 4:40 AM, Moritz Bartl wrote:
> > You should never rely on short key IDs for anything. They can be forged
> > within minutes. When you look at
> > https://www.torproject.org/docs/debian.html.en , it fetches the key
> > using the short key ID, but only imports a key that matches the whole
> > fingerprint.
>
> Ok
Done. There's a bug on the latest version of puppetlabs/apt (1.5.0) that’s currently limiting the key name to 8 or 16 digits:
https://github.com/puppetlabs/puppetlabs-apt/pull/314
so I’m currently forcing the dependency to version 1.4.2
I've also added missing LICENSE and Modulefile files (for automatic dependency resolution via librarian-puppet or similar).
I’m going to add the missing RSpec files in the next days.
> > I found keys.gnupg.net to be unreliable sometimes, it would be good to
> > have some fallback options.
>
> Maybe add this fallback options to
> https://www.torproject.org/docs/debian.html.en too?
I also checked the latest version of the apt module but unfortunately there’s no default mechanism to fall back in case of a non responsive default GPG server. Anyway, the worst case scenario is that Puppet agent will fail because of the timeout (i.e. not installing anything until the key is fetched), so security should not be compromised.
Latest version: https://github.com/shaftoe/puppet-tor/tree/fixes
--
Alexander Fortin
http://about.me/alexanderfortin
More information about the tor-relays
mailing list