Re: [Gnu-arch-users] (volunteers?) crypto signatures for arch

[Robert Collins]

On Mon, 2003-12-08 at 18:48, Karel Gardas wrote:
> > Yes.
> > Trivial case: uploading from an unsigned mirror to a signed public
> > mirror.
> 
> This might be changed to script signing whole mirror + push-mirror of
> signed archive.

It could, yes. 

> > Trivial case: The public mirror is to be all signed by the 'authorised
> > uploader', not the individual contributors.
> 
> This might be the case, but it apply only to multi-developer archives and
> is not IMHO showstopper => doesn't need to be addressed in your
> "immediate" solution.

Well, we don't know the use cases that will be used. the immediate
solution needs to DTRT for any remote archive, for changeset uploads.
And, there is little extra complexity here AFAICT.

> > > BTW: for x509 you will need to change --gpg-key to something else. What
> > > about to use: --sign-key=<string> --sign-mech=<mech>, where mech might be
> > > ``gpg'' or ``x509'' or others...
> >
> > Wouldn't it make sense to simply use x509 all the time ?
> 
> I don't think so, since many people do not have their own x509
> certificate, but they seem to use OpenPGP.
> 
> > Alternatively, we could have a gpg-options="--sign-key=rbtcollins
> > --sign-mech=x509" tla command, which is then passed through to gpg.
> 
> Do not forget, that for example BSD community will at least like to use
> non-gpl solution here: i.e. pgp, openssl. -- which IMHO should also be
> supported.

well pgp isn't even opensource, so I don't see that making the bsd
community happy. And openssl is a transport, not relevant here (AFAIK).

So, we need either a generic parameter, or a couple of pass through
parameters for gpg etc behaviour, and a configurable command for the
gpg-like program to run.

Rob

-- 
GPG key available at: <http://www.robertcollins.net/keys.txt>.

signature.asc
Description: This is a digitally signed message part