From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joseph Parmelee Subject: Re: Lack of detached signatures Date: Wed, 28 Sep 2011 19:29:11 -0600 (CST) Message-ID: References: <7vty7xttxh.fsf@alter.siamese.dyndns.org> <4B2793BF110AAB47AB0EE7B90897038516F63A7C@ORSMSX101.amr.corp.intel.com> <1317195719.30267.4.camel@bee.lab.cmartin.tk> <7v1uv01uqm.fsf@alter.siamese.dyndns.org> <20110928222542.GA18120@sigill.intra.peff.net> <20110928230958.GJ19250@thunk.org> Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Jeff King , Junio C Hamano , =?ISO-8859-15?Q?Carlos_Mart=EDn_Nieto?= , "Olsen, Alan R" , Michael Witten , "git@vger.kernel.org" To: Ted Ts'o X-From: git-owner@vger.kernel.org Thu Sep 29 03:29:22 2011 Return-path: Envelope-to: gcvg-git-2@lo.gmane.org Received: from vger.kernel.org ([209.132.180.67]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1R95RB-0001h1-ND for gcvg-git-2@lo.gmane.org; Thu, 29 Sep 2011 03:29:22 +0200 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755467Ab1I2B3Q (ORCPT ); Wed, 28 Sep 2011 21:29:16 -0400 Received: from ip205-30-10-190.ct.co.cr ([190.10.30.205]:50522 "EHLO bruno.wildbear.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1754186Ab1I2B3O (ORCPT ); Wed, 28 Sep 2011 21:29:14 -0400 Received: by bruno.wildbear.com (Postfix, from userid 503) id C4CD61BE062E; Wed, 28 Sep 2011 19:29:11 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by bruno.wildbear.com (Postfix) with ESMTP id 93E491BE062B; Wed, 28 Sep 2011 19:29:11 -0600 (CST) X-X-Sender: jparmele@bruno In-Reply-To: <20110928230958.GJ19250@thunk.org> User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org Archived-At: On Wed, 28 Sep 2011, Ted Ts'o wrote: > On Wed, Sep 28, 2011 at 06:25:43PM -0400, Jeff King wrote: >> [1] This is a minor nit, and probably not worth breaking away from the >> way the rest of the world does it, but it is somewhat silly to sign the >> compressed data. I couldn't care less about the exact bytes in the >> compressed version; what I care about is the actual tar file. The >> compression is just a transport. > > The worry I have is that many users don't check the GPG checksum files > as it is. If they have to decompress the file, and then run gpg to > check the checksum, they might never get around to doing it. > > That being said, I'm not sure I have a good solution. One is to ship > the file without using detached signatures, and ship a foo.tar.gz.gpg > file, and force them to use GPG to unwrap the file before it can be > unpacked. But users would yell and scream if we did that... > > - Ted > Or you could just provide detached signatures for the compressed tarballs like they have been doing for years at kernel.org (and many other sites). If tarball.tar.bz2 has a detached signature tarball.tar.bz2.sig, just download them both and: gpg --verify tarball.tar.gz.sig To argue that some people don't avail themselves of this feature is no excuse for not providing it for those of us who consider it vital. The break in at k.o is no excuse for dropping this very sensible policy which has protected us for years. Just change the signing key and continue as before.