gnu-arch-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] (volunteers?) crypto signatures for arch

From: Karel Gardas
Subject: Re: [Gnu-arch-users] (volunteers?) crypto signatures for arch
Date: Mon, 8 Dec 2003 08:38:24 +0100 (CET) 
On Mon, 8 Dec 2003, Robert Collins wrote:

> On Mon, 2003-12-08 at 08:48, Karel Gardas wrote:
> > > For users wanting to gpg check in phase 1, it's easy: archive-mirror to
> > > the local disk, with copying signatures enabled. Then run the integrity
> > > checking script tom proposed.
> >
> > Aha, now I understand, you are talking about support for signatures on
> > commit, etc. (i.e. pushing something into the archive) and avoiding any
> > support for sigs. verification when the changeset is used. Yes, whole
> > archive verification is quite easy scripting work...
>
> Not avoiding, just ignoring ;). The signatures will be available after
> all.

Yes, I understand.

> > In fact, during my thinking about the topic I came with reverse idea:
> > verify signatures on get/etc. but sign changesets manually directly in
> > archive + push-mirror change to push dump-copy of sign files.
>
> Ah. Well, for remote archives (i.e. http/ftp) there is an obvious hole -
> that is that you don't trust the transport. So signing before upload is
> important.

I was not clear, this is of course possible only for local archives
(trusted).

Karel
--
Karel Gardas                  address@hidden
ObjectSecurity Ltd.           http://www.objectsecurity.com
reply via email to
[Prev in Thread] Current Thread [Next in Thread]