Subject: Re: adding gpg to src/gnu/dist
To: Thor Lancelot Simon <firstname.lastname@example.org>
From: Daniel Carosone <email@example.com>
Date: 05/13/2004 12:02:38
Content-Type: text/plain; charset=us-ascii
On Wed, May 12, 2004 at 09:02:32PM -0400, Thor Lancelot Simon wrote:
> "Building up a web of trust" is not all that useful when what users want=
> is to verify, for instance, that release binaries (or, in most contexts I=
> can think of, package binaries) came from an entity vouched for by The=20
> NetBSD Foundation. That's the classic hierarchical trust model; it is th=
> classic application for certificate-based signatures, which OpenSSL does=
> just fine.
Agreed. I've PoC'd smime file siging a number of times for different
purposes using openssl.
> I am appalled by many things about GPG, not least of which are its size,
> its extensive dependencies (which include Perl),=20
Perl is there for only one silly and largely useless script. This
dependency is bogus, or at best should be optional, in pkgsrc.
On non-netbsd platforms it pulls in a number of other dependencies,
but not on NetBSD.
> and its horrendous user
> interface which betrays an utter lack of understanding of the key role
> that usability plays in the actual secure use of security software. =20
Wait, are we talking about perl or openssl(1)? :)
> When we already have a program in the base system that can do the
> job that it is being proposed that we use GPG for, and, even better,
> that program is merely a command-line interface to a library which
> could easily be directly linked into the appropriate system/package
> tools, I am very, very strongly opposed to importing GPG into the
> base system for this purpose.
I agree, and the latter point is the key. The "user interface" for
smime-based file signing can and should be hidden with some scripts,
or within the pkg_* tools, or etc as apprpriate for the task.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)
-----END PGP SIGNATURE-----