From: Joseph Parmelee <jparmele@wildbear.com>
To: Ted Ts'o <tytso@mit.edu>
Cc: "Jeff King" <peff@peff.net>, "Junio C Hamano" <gitster@pobox.com>,
"Carlos Martín Nieto" <cmn@elego.de>,
"Olsen, Alan R" <alan.r.olsen@intel.com>,
"Michael Witten" <mfwitten@gmail.com>,
"git@vger.kernel.org" <git@vger.kernel.org>
Subject: Re: Lack of detached signatures
Date: Wed, 28 Sep 2011 19:29:11 -0600 (CST) [thread overview]
Message-ID: <alpine.LNX.2.00.1109281914510.29373@bruno> (raw)
In-Reply-To: <20110928230958.GJ19250@thunk.org>
On Wed, 28 Sep 2011, Ted Ts'o wrote:
> On Wed, Sep 28, 2011 at 06:25:43PM -0400, Jeff King wrote:
>> [1] This is a minor nit, and probably not worth breaking away from the
>> way the rest of the world does it, but it is somewhat silly to sign the
>> compressed data. I couldn't care less about the exact bytes in the
>> compressed version; what I care about is the actual tar file. The
>> compression is just a transport.
>
> The worry I have is that many users don't check the GPG checksum files
> as it is. If they have to decompress the file, and then run gpg to
> check the checksum, they might never get around to doing it.
>
> That being said, I'm not sure I have a good solution. One is to ship
> the file without using detached signatures, and ship a foo.tar.gz.gpg
> file, and force them to use GPG to unwrap the file before it can be
> unpacked. But users would yell and scream if we did that...
>
> - Ted
>
Or you could just provide detached signatures for the compressed tarballs
like they have been doing for years at kernel.org (and many other sites).
If tarball.tar.bz2 has a detached signature tarball.tar.bz2.sig, just
download them both and:
gpg --verify tarball.tar.gz.sig
To argue that some people don't avail themselves of this feature is no
excuse for not providing it for those of us who consider it vital. The
break in at k.o is no excuse for dropping this very sensible policy which
has protected us for years. Just change the signing key and continue as
before.
next prev parent reply other threads:[~2011-09-29 1:29 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-27 23:48 Lack of detached signatures Joseph Parmelee
2011-09-28 0:03 ` Junio C Hamano
2011-09-28 0:07 ` Michael Witten
2011-09-28 4:17 ` Olsen, Alan R
2011-09-28 7:41 ` Carlos Martín Nieto
2011-09-28 12:36 ` Joseph Parmelee
2011-09-28 16:45 ` Junio C Hamano
2011-09-28 16:55 ` Michael Witten
2011-09-28 16:59 ` Matthieu Moy
2011-09-28 22:25 ` Jeff King
2011-09-28 23:09 ` Ted Ts'o
2011-09-29 0:28 ` Junio C Hamano
2011-09-29 1:59 ` Ted Ts'o
2011-09-29 3:50 ` Junio C Hamano
2011-09-29 13:18 ` Ted Ts'o
2011-09-29 14:40 ` Sverre Rabbelier
2011-09-29 14:50 ` Ted Ts'o
2011-09-29 14:52 ` Sverre Rabbelier
2011-09-29 16:47 ` Joseph Parmelee
2011-09-29 1:29 ` Joseph Parmelee [this message]
2011-09-29 1:41 ` Jeff King
2011-09-29 20:31 ` Olsen, Alan R
2011-09-28 22:40 ` Joseph Parmelee
2011-09-28 17:03 ` Ben Walton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LNX.2.00.1109281914510.29373@bruno \
--to=jparmele@wildbear.com \
--cc=alan.r.olsen@intel.com \
--cc=cmn@elego.de \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=mfwitten@gmail.com \
--cc=peff@peff.net \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox