Mail Archives: cygwin/2002/05/17/01:40:20
> -----Original Message-----
> From: Michael Young [mailto:mwy-ltua AT the-youngs DOT org]
> Sent: Friday, May 17, 2002 3:27 PM
>
> So, how would the Cygwin team feel about GPG-signing just these
> two files?
I'm the setup.exe maintainer. Here's what I need before I will sign
setup.exe. (More on setup.ini later).
I need:
* A cygwin package, maintained by someone-that-is-not-me of GPG that is
compatible with my unix GPG (I know that should go without saying)
keyring.
That's it. But without that I will not sign setup.exe. Just like I
didn't compress it until UPX became a package :].
See http://www.cygwin.com/setup.html for information on contributing
GPG.
Until that is done, conversation on this is moot.
I would BTW, sign it with a separate file. There may also be
logicistical issues with upset getting the version number out of the upx
compressed fiel, but I think I have a solution to that that will work
for Chris.
As for setup.ini:
Signing of setup.ini is, IMO, meaningless at this point in time.
setup.ini, like the debian Packages or Releases or whatever the archive
is called, is a federated system. You can download from as many mirrors
as you like in one session, and setup provides a homogenous view of the
result. In short, an unsigned setup.ini can alter the data you see from
a signed setup.ini. Per-package signing would be the way to go. Also, as
setup.ini is dynamically generated, we would have a serious key
management issue in attempting to have setup.ini signed. Per package
signing allows the key management to be federated as well - to each
maintainer - and thus would not cause the same headache as signing
setup.ini.
Cheers,
Rob
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -