gnu-arch-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] (volunteers?) crypto signatures for arch

From: Robert Collins
Subject: Re: [Gnu-arch-users] (volunteers?) crypto signatures for arch
Date: Mon, 08 Dec 2003 07:32:15 +1100 
On Mon, 2003-12-08 at 07:49, Tom Lord wrote:

>     > For auditing, a smart server will need to keep the gpg signed
>     > tarballs and log files. So, while it may generate whatever it
>     > wants on the fly, and sign it with a server key, to show that
>     > address@hidden commited patch-45, it will /need/ the
>     > original tarball, and the original signature.
> 
> That's not true.  It can verify the incoming data, protect it, and
> discard the original tar-ball and signature.

Beep. Wrong. The smart server's records are not intrinsically trusted.
-HOW- can it prove that I provided the changeset patch-45 ?


>     > How do you suggest that key selection be implemented then?
> 
> So far, pass-thrus from command-line to transport seem the best option
> to me.   Alternatively, we could have some persistent data (some
> .arch-params thing) that only the transport layer looks at.

Lets start with command line.

Rob

-- 
GPG key available at: <http://www.robertcollins.net/keys.txt>.

Attachment: signature.asc
Description: This is a digitally signed message part

reply via email to
[Prev in Thread] Current Thread [Next in Thread]