Subject: Re: adding gpg to src/gnu/dist
To: None <tech-security@NetBSD.org>
From: Love <firstname.lastname@example.org>
Date: 05/18/2004 19:06:37
Marc Tooley <netbsdMLpostNO@SPAM.quake.ca> writes:
>> 3. pgp provides identity, not what the key is supposed to do. sure,
>> the sigature is supposed be just that, but pushing out policy from
>> the CA with certifiates are quite useful.
>> "all certs with code-signing oid is approved by netbsd
>> core/foundation/developers/whatever to be signer of binary pkgs,
>> you already trust netbsd ... by using our software"
>> The question is, how do you intent to distribute policy ?
> If a security bulletin is signed by a key marked "System Distribution"
> then it clearly says, "This is signed by known key 0x12134, System
> Distribution Manager" I think users would notice.
My pkgsrc tree have N packages, should humans verify all text strings for
each of them.
It might not be a human at the end of the pkg_add program, its might be
another program (update-pkg.sh via cron). Thus the policy needs to machine
>> 4. How is certifiates time limited, "Al is releng for a year now"
> GPG keys have a lifetime on them, you can expire them in X days no
But not sigatures of keys ? That is just fine for pgp, since pgp is signing
identities, not roles.
>> 5. Code quality should not be used as argument when comparing gpg and
>> openssl, neither of them is pretty inside.
> The implication was, earlier in the thread, that GPG has a "messier"
> user interface when I don't think that is true.
Yes, they are about equally bad.
> I've already said I have no code. In fact, I very specifically stated,
> "Just my opinion. No code flows from me so of course opinion it'll
> stay, but there it is." Nice term, that.. hand waving I mean. Thanks.
Thank you yourself, I got to know more about pgp that I missed when i read
the PGP RFC.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)
-----END PGP SIGNATURE-----