Subject: Re: adding gpg to src/gnu/dist
To: None <>
From: Love <>
List: tech-userlevel
Date: 05/18/2004 19:06:37

Marc Tooley <> writes:

>> 3. pgp provides identity, not what the key is supposed to do. sure,
>> the sigature is supposed be just that, but pushing out policy from
>> the CA with certifiates are quite useful.
>>    "all certs with code-signing oid is approved by netbsd
>>    core/foundation/developers/whatever to be signer of binary pkgs,
>> you already trust netbsd ... by using our software"
>>    The question is, how do you intent to distribute policy ?
> If a security bulletin is signed by a key marked "System Distribution" 
> then it clearly says, "This is signed by known key 0x12134, System 
> Distribution Manager" I think users would notice.

My pkgsrc tree have N packages, should humans verify all text strings for
each of them.

It might not be a human at the end of the pkg_add program, its might be
another program ( via cron). Thus the policy needs to machine

>> 4. How is certifiates time limited, "Al is releng for a year now"
> GPG keys have a lifetime on them, you can expire them in X days no 
> problem.

But not sigatures of keys ? That is just fine for pgp, since pgp is signing
identities, not roles.

>> 5. Code quality should not be used as argument when comparing gpg and
>>    openssl, neither of them is pretty inside.
> The implication was, earlier in the thread, that GPG has a "messier" 
> user interface when I don't think that is true.

Yes, they are about equally bad.

> I've already said I have no code. In fact, I very specifically stated, 
> "Just my opinion. No code flows from me so of course opinion it'll 
> stay, but there it is." Nice term, that..  hand waving I mean. Thanks.

Thank you yourself, I got to know more about pgp that I missed when i read
the PGP RFC.


Content-Type: application/pgp-signature

Version: GnuPG v1.2.4 (NetBSD)