This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

RE: PGP signatures for packages?




> -----Original Message-----
> From: Michael Young [mailto:mwy-ltua@the-youngs.org] 
> Sent: Friday, May 17, 2002 3:27 PM
> 

> So, how would the Cygwin team feel about GPG-signing just these
> two files?

I'm the setup.exe maintainer. Here's what I need before I will sign
setup.exe. (More on setup.ini later).

I need:
* A cygwin package, maintained by someone-that-is-not-me of GPG that is
compatible with my unix GPG (I know that should go without saying)
keyring.

That's it. But without that I will not sign setup.exe. Just like I
didn't compress it until UPX became a package :].

See http://www.cygwin.com/setup.html for information on contributing
GPG.

Until that is done, conversation on this is moot.

I would BTW, sign it with a separate file. There may also be
logicistical issues with upset getting the version number out of the upx
compressed fiel, but I think I have a solution to that that will work
for Chris.

As for setup.ini:

Signing of setup.ini is, IMO, meaningless at this point in time.
setup.ini, like the debian Packages or Releases or whatever the archive
is called, is a federated system. You can download from as many mirrors
as you like in one session, and setup provides a homogenous view of the
result. In short, an unsigned setup.ini can alter the data you see from
a signed setup.ini. Per-package signing would be the way to go. Also, as
setup.ini is dynamically generated, we would have a serious key
management issue in attempting to have setup.ini signed. Per package
signing allows the key management to be federated as well - to each
maintainer - and thus would not cause the same headache as signing
setup.ini.

Cheers,
Rob

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]