Re: [Gnu-arch-users] Re: MD5 is broken

[John Arbash Meinel]

Aaron Bentley wrote:

> John Arbash Meinel wrote:
>
> > Why not put both detached signatures into the checksum file?
>
>
> It's not 'both', it's 'all', and in many cases, 'all' is 4 or more
> files.  That's a lot of times to enter your password for signing.
>
> (gpg: --clearsign does not yet work with --multifile)
>
> Aaron
Again, my feeling was to make it expandable, so that if someone wants to
turn on gpg signing, they know in advance that they should probably set
up a gpg-agent of some sort. Actually, since baz now requests 2
signatures on a commit, it motivated me to set up gpg-agent.

My statement was to let people be as paranoid as they want to be. If
they don't want an agent and want to sign 4 times, let them.

I wasn't advocating that it was the default. Probably the best default
would be sha + file-length, I personally would like to see sha-256. If
we want to do sha + md5 + file length by default, that's fine.

But I think adding support for allowing real signatures to be made,
rather than only signatures of hashes would be preferred.

Remember, doing a "tag" already requires 2 sigs, because it does a cacherev.

It is a shame that "--multifile" isn't supported.

John
=:->

signature.asc
Description: OpenPGP digital signature