From: eli-schwartz <eli-schwartz@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: [RFC/POC] Support checks for signify signature inside xbps-src
Date: Tue, 02 Feb 2021 04:53:35 +0100 [thread overview]
Message-ID: <20210202035335.tiWwJf6PhibuZTAs1kz3am02UMhNuao14pBLdHOW3Uk@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-28400@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 1152 bytes --]
New comment by eli-schwartz on void-packages repository
https://github.com/void-linux/void-packages/pull/28400#issuecomment-771336697
Comment:
> The idea was flown around on IRC and it tickled me. It's probably of very limited utility, but who knows, maybe the recent PGP crisis drive people towards signify :P
Disclaimer: "the idea" was my suggestion that PGP verification of the large body of software out there that *is* signed today with PGP signatures would be a good idea. :D
Since .sig is a valid and common PGP signature extension, heuristically detecting which flavor it is might be necessary in the event someone implements the, uh, more common variety in xbps-src.
...
Again, as mentioned in IRC, implementing PGP verification support need not force every user to install GnuPG. pacman/makepkg has an option to disable checking PGP (on by default), xbps-src can have an option to enable it (off by default). As long as it is there and can be validated, people can double-check that the known distfile with the known checksum does validate using PGP. (I would advise official builders to enable such checks, if off by default.)
next prev parent reply other threads:[~2021-02-02 3:53 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-02 2:37 [PR PATCH] " ericonr
2021-02-02 2:48 ` [PR PATCH] [Updated] " ericonr
2021-02-02 3:53 ` eli-schwartz [this message]
2021-02-02 18:42 ` Chocimier
2021-02-02 18:45 ` eli-schwartz
2021-02-02 18:48 ` Chocimier
2021-02-02 18:50 ` ericonr
2021-02-02 18:52 ` Chocimier
2021-02-02 18:53 ` Chocimier
2021-02-02 19:04 ` eli-schwartz
2021-02-02 19:05 ` ericonr
2021-02-02 20:04 ` Chocimier
2021-02-02 20:29 ` eli-schwartz
2021-02-02 20:55 ` Chocimier
2021-02-03 15:14 ` [PR PATCH] [Updated] " ericonr
2022-05-03 2:14 ` github-actions
2022-05-17 2:14 ` [PR PATCH] [Closed]: " github-actions
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210202035335.tiWwJf6PhibuZTAs1kz3am02UMhNuao14pBLdHOW3Uk@z \
--to=eli-schwartz@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).