|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: adding gpg to src/gnu/dist
From: Daniel Carosone (dan
geek.com.au)
Date: Wed May 12 2004 - 21:02:38 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, May 12, 2004 at 09:02:32PM -0400, Thor Lancelot Simon wrote:
> "Building up a web of trust" is not all that useful when what users want
> is to verify, for instance, that release binaries (or, in most contexts I
> can think of, package binaries) came from an entity vouched for by The
> NetBSD Foundation. That's the classic hierarchical trust model; it is the
> classic application for certificate-based signatures, which OpenSSL does
> just fine.
Agreed. I've PoC'd smime file siging a number of times for different
purposes using openssl.
> I am appalled by many things about GPG, not least of which are its size,
> its extensive dependencies (which include Perl),
Perl is there for only one silly and largely useless script. This
dependency is bogus, or at best should be optional, in pkgsrc.
On non-netbsd platforms it pulls in a number of other dependencies,
but not on NetBSD.
> and its horrendous user
> interface which betrays an utter lack of understanding of the key role
> that usability plays in the actual secure use of security software.
Wait, are we talking about perl or openssl(1)? :)
> When we already have a program in the base system that can do the
> job that it is being proposed that we use GPG for, and, even better,
> that program is merely a command-line interface to a library which
> could easily be directly linked into the appropriate system/package
> tools, I am very, very strongly opposed to importing GPG into the
> base system for this purpose.
I agree, and the latter point is the key. The "user interface" for
smime-based file signing can and should be hidden with some scripts,
or within the pkg_* tools, or etc as apprpriate for the task.
--
Dan.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)
iD8DBQFAotc+EAVxvV4N66cRApW3AKCW3uR4E8spkC61ahg0lGYRvKZpPACgkMO4
l+4hylA1WX2V/wB95zSWL1s=
=rrDR
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]