Re: [Cvs-dev] Re: [Cvs-test-results] CVS trunk testing results (BSDI BSD/OS)

[Derek R. Price]

Jim Hyslop wrote:
> >warns if the "latest gpg" version number is out of date?  Am I going
> > overboard?
>   
>
> Depends on your perspective :=) From the security point of view, not in
> the least. Some paranoi^H^H^H^H^H^H^H conscientious security people
> might say you aren't going far enough.

What about the doc patch?  Acceptable?

> I think we should not test for a specific revision of GPG. Keeping GPG
> up to date is outside the scope of CVS. We should take every reasonable
> effort to ensure that CVS works properly with the latest version of GPG,
> and to that extent we should ensure that sanity.sh tests pass properly.

I agree that actually keeping GPG up-to-date is outside the scope of
CVS, but I do still feel that if I'm going to advertise a new feature as
secure, it would be polite to at least warn potentially new users who
might be somewhat ignorant of security matters and inclined to trust CVS
that there may be issues involved in keeping their GPG up-to-date.

At least, those users savvy enough to read the CVS manual or run
sanity.sh, anyhow.  :)

> It would probably be helpful to have a reminder for the maintainers to
> make sure it's up to date, and possibly allow the reminder to be
> user-configurable for those users who may want to be reminded as well.

Well, a reminder means a --version test, doesn't it?  What about, like I
said, a hard-coded value in sanity.sh that only causes a loud warning to
be printed about updating GPG, with a hook in `make distcheck' to poll
gnupg.org and see if there is a more recent general release version
available for download than is specified in sanity.sh?

Regards,

Derek
-- 
Derek R. Price
CVS Solutions Architect
Get CVS support at Ximbiot <http://ximbiot.com>!
v: +1 248.835.1260
f: +1 248.835.1263
<mailto:address@hidden>