tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Merge of pkg_install-renovation

On Tue, Nov 04, 2008 at 01:43:48PM +0100, Joerg Sonnenberger wrote:
> Regressions:
> - currently no support for GPG based signatures
>   - existing support only ever worked for local packages anyway and even
>     in that case TOCTOA issues remained, so running gpg by hand before is
>     as secure as the old code
>   - the signature format can be easily extended to deal with GPG signatures
>     once the issue of having a proper standalone library exists; hacks to
>     call gpg would be possible, but have issues like bootstrapping

Yes, these are both true (the local packages thing is stretching it a
bit, it's only binary package grabbing that you're talking about, but
whatever), but they are still regressions.

I'd like to see the previous support for gpg (and pgp) restored before
this is merged. And, yes, I'm doing my best to get the second one done
from a library, but it will have to be done to my own timescales, and it
may not be done tomorrow. But having gpg signatures is important to me,
and I see no reason for a regression here.


Home | Main Index | Thread Index | Old Index