|
| From: | Aaron Bentley |
| Subject: | Re: [Gnu-arch-users] Re: MD5 is broken |
| Date: | Wed, 16 Mar 2005 11:20:33 -0500 |
| User-agent: | Mozilla Thunderbird 0.6 (X11/20040530) |
John Arbash Meinel wrote:
Aaron Bentley wrote:John Arbash Meinel wrote:Why not put both detached signatures into the checksum file?It's not 'both', it's 'all', and in many cases, 'all' is 4 or more files. That's a lot of times to enter your password for signing. (gpg: --clearsign does not yet work with --multifile) AaronAgain, my feeling was to make it expandable, so that if someone wants to turn on gpg signing, they know in advance that they should probably set up a gpg-agent of some sort. Actually, since baz now requests 2 signatures on a commit, it motivated me to set up gpg-agent.
We're working on ways of bringing it back down to 1. It may require an archive format bump, though.
My statement was to let people be as paranoid as they want to be. If they don't want an agent and want to sign 4 times, let them.
My sentiment is "let's not punish people who want to operate in a secure fashion".
I wasn't advocating that it was the default.
Okay, I wasn't clear on that before.
Remember, doing a "tag" already requires 2 sigs, because it does a cacherev.
Well, only when you tag from a different archive. It doesn't do a cacherev if the direct ancestor is in the same archive.
Aaron -- Aaron Bentley Director of Technology Panometrics, Inc.
| [Prev in Thread] | Current Thread | [Next in Thread] |