Re: verifying PGP signed package-index files
Steve Youngs <youngs(a)xemacs.org> writes:
Do the package-index files need to be PGP signed?
At the moment it is definitely causing more trouble than it is worth.
It has got all kind of weird failure modes and got broken for good
when the PGP format changed with PGP5 and pgp 2.6 didn't cope
gracefully.
Does anyone know
what the reasoning was behind the idea in the first place?
The reasoning was that by signing the MD5s in the package index,
you could be reasonable sure of the origins of the packages.
Another thing that concerns me is that if I apply the patch to fix
the
PGP stuff and then start signing the package-index files it'll bugger
up any XEmacsen that is pre-PGP-patch.
So, what would you like me to do; fix the PGP code and tell everyone
to stop whining and upgrade, or get rid of the PGP code in the
package tools altogether?
If you have working code that does reliable GPG verification I suggest
having a separate signature (or a separate package-index.gpg file
which is signed) so as to not hurt older XEmacsen and which newer once
would pick up if it existed.
Later we can then switch the default to require the .gpg file.
Jan