Pithos

Making decryption keys "field replaceable"

Asked by Joshua Kugler

Would it be possible to abstract out the decryption in such a way that they keys used to decrypt the streams could be downloaded from a trusted server, and not require updating a releasing a new package. That way, when new keys come out, it would not require a new package to be released, but just new keys to be posted, which Pithos clients could then download. Yes, it would require every user on a system downloading the keys, but with just a few K per key (I assume) it shouldn't be too much of a load. This of course wouldn't help when there is a login API change.

Question information

Language:
English Edit question
Status:
Solved
For:
Pithos Edit question
Assignee:
No assignee Edit question
Solved by:
Kevin Mehall
Solved:
Last query:
Last reply:
Revision history for this message
Best Kevin Mehall (kevin-mehall) said : 		#1

I've considered this, but most key changes are accompanied with changes to the protocol. It could download that too, but we already have a nice tool for distributing code updates -- apt-get.

It's unfortunate that the Ubuntu/Debian repositories take so long to update when there is a new Pithos release, but the PPA workflow is fairly ideal for Pithos's needs. If only there were a PPA-like system for other distros...

Revision history for this message
Joshua Kugler (jkugler) said : 		#2

Good point, and the PPAs are updated very quickly. But most people aren't even aware of the PPAs...they barely know how to use the package manager. Hmm...how "acceptable" is it for a package to add a .list file to /etc/apt/sources.d when it installs? You could add your PPA to that directory when you install, so all those who install the package from the official archives would get the updates when they happen.

Revision history for this message
Joshua Kugler (jkugler) said : 		#3

Thanks Kevin Mehall, that solved my question.