Subject: Re: adding gpg to src/gnu/dist
To: Bill Studenmund <wrstuden@netbsd.org>
From: Daniel Carosone <dan@geek.com.au>
List: tech-security
Date: 05/18/2004 12:00:41
--u65IjBhB3TIa72Vp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, May 17, 2004 at 05:17:04PM -0700, Bill Studenmund wrote:
> Once concern I have with smime (and this could be a misunderstanding) is=
=20
> that it is MIME, after all, and as such makes things 7-bit clean, no? I=
=20
> like the tar file container idea for the simple reason it's 8-bit clean.

8-bit data gets base64 encoded, if that's what you mean, yes - or you
do a detached signature and leave the original file alone.

As I said previously, smime has suited my needs of past uses just fine
(for example, signed license/feature documents for commercial
software), but might not be entirely approriate for pkg use directly.

If we're going to adopt an archive-file format, with special
directories and filenames for pkg metadata, manifest and signatures
and so forth, there's already Java's .jar format (which is .zip plus
some content conventions). There's even prior art for directly
comparable uses - Sun publish their solaris patches as signed .jar's
now.

We could adopt that directly, or use the same kind of techniques in a
tar container - either way, the mechanism used in that format to
present file signatures is quite elegant and convenient for working
with unixy scripty type tools. Certainly informative and worth a look.

And of course you can also add additional external sigs on the
resulting pkg file, as we've discussed.

--
Dan.



--u65IjBhB3TIa72Vp
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)

iD8DBQFAqW5JEAVxvV4N66cRAvNKAJ92OmPi5+kmstEfW0H7ane92TWnNwCgnmYE
hU0pqVB9X6j6XI66PVuUvlE=
=I+sd
-----END PGP SIGNATURE-----

--u65IjBhB3TIa72Vp--