Re: [Cvs-dev] Re: [Cvs-test-results] CVS trunk testing results (BSDI BSD/OS)

[Mark D. Baushke]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Derek R. Price <address@hidden> writes:

> Okay.  I've attached a new patch.  I noticed while I was working on it
> that I neglected to document the `sign' and `verify' commands, but I
> will work on that with the sign/verify help patch you suggested.

Okay.

> At the moment, I'm inclined to only test GPG.  Perhaps, if the
> executable does not appear to be GPG, then sanity.sh should just print
> a generic warning about the tests being intended for GPG and running
> anyhow and remember to keep your implementation up-to-date if you are
> relying on it for security.

Yes, this seems reasonable.

> > 2) Some vendors have been known to patch security concerns into
> > down-revision releases of software. There is no way to know if 'gpg
> > --version' which returns a '1.2.3' is or is not the latest version
> > of the tool for a particular host operating system or not.
> 
> True, but since this is only a warning, it shouldn't hurt to ignore
> that and remind the user to check when the version doesn't look
> up-to-date as far as we knew as of the CVS release date.

Good point.

> It occurs to me that it isn't uncommon for a user to be running a 5
> year old version of CVS, which would only warn about versions of GPG
> also at least 5 years old, making this whole exercise seem a bit
> pointless anyhow.  Then again, at least there would be potentially
> useful warnings for people who kept up with CVS.

Yup.

[...patch elided...]

The patch looks good to me.

        Thanks,
        -- Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQFEX6SHCg7APGsDnFERAky9AKDkVUXF+7TuIsz9Z+4kdnHM2/qj1wCgkTiu
IvuHtD5dmAEM41LfSwYP8c4=
=P0eA
-----END PGP SIGNATURE-----