Subject: Re: adding gpg to src/gnu/dist
To: None <>
From: Michael Richardson <>
List: tech-userlevel
Date: 05/16/2004 20:50:45

>>>>> "Marc" == Marc Tooley <> writes:
    >> both that the 'openssl' command-line utility could already do the
    >> necessary signing and verification operations, and that it would
    >> make more sense to link the pkg and installation tools with the
    >> OpenSSL libraries instead, and avoid the use of either horrible
    >> command-line tool.

    >> "Sticking with GNUPG" is not a valid reason to *add* GNUPG to the
    >> base system.

    Marc> I think this is a misinterpretation of what the original
    Marc> poster meant, and you're spinning it to make it look like he
    Marc> said something he didn't. It seems to me that since everyone
    Marc> else uses GPG as a method of signed distribution of code,
    Marc> advisories, and so forth, "sticking with it" would better be
    Marc> interpreted in the broad sense that he's suggesting we not
    Marc> impose non-standard ssl-based distribution on users who are
    Marc> already familiar with, and actively using, GPG.

  that's exactly what I meant.
  Principle of least surprise. 

  All this nonsense about key-signing parties, etc. is just that
nonsense. OpenPGP format (via GnuPG, Perl modules, or whatever) does not
require web-of-trust. It just permits it. 
  We can make it strict hierarchy if one likes. Or not. 
  I too want to signed executables that the kernel verifies as it pages
in. But, we aren't going to be using PKIX signatures on each page, nor
GnuPG ones. We will have a piece of data that is signed. We will have to
sign it, but which method is used doesn't affect things that much.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys