Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Subject: RE: PGP signatures for packages?
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Date: Fri, 17 May 2002 15:39:41 +1000
X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3
Message-ID: <FC169E059D1A0442A04C40F86D9BA7600C60F3@itdomain003.itdomain.net.au>
content-class: urn:content-classes:message
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
From: "Robert Collins" <robert DOT collins AT itdomain DOT com DOT au>
To: "Michael Young" <mwy-ltua AT the-youngs DOT org>, <cygwin AT cygwin DOT com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id g4H5eIV18647



> -----Original Message-----
> From: Michael Young [mailto:mwy-ltua AT the-youngs DOT org] 
> Sent: Friday, May 17, 2002 3:27 PM
> 

> So, how would the Cygwin team feel about GPG-signing just these
> two files?

I'm the setup.exe maintainer. Here's what I need before I will sign
setup.exe. (More on setup.ini later).

I need:
* A cygwin package, maintained by someone-that-is-not-me of GPG that is
compatible with my unix GPG (I know that should go without saying)
keyring.

That's it. But without that I will not sign setup.exe. Just like I
didn't compress it until UPX became a package :].

See http://www.cygwin.com/setup.html for information on contributing
GPG.

Until that is done, conversation on this is moot.

I would BTW, sign it with a separate file. There may also be
logicistical issues with upset getting the version number out of the upx
compressed fiel, but I think I have a solution to that that will work
for Chris.

As for setup.ini:

Signing of setup.ini is, IMO, meaningless at this point in time.
setup.ini, like the debian Packages or Releases or whatever the archive
is called, is a federated system. You can download from as many mirrors
as you like in one session, and setup provides a homogenous view of the
result. In short, an unsigned setup.ini can alter the data you see from
a signed setup.ini. Per-package signing would be the way to go. Also, as
setup.ini is dynamically generated, we would have a serious key
management issue in attempting to have setup.ini signed. Per package
signing allows the key management to be federated as well - to each
maintainer - and thus would not cause the same headache as signing
setup.ini.

Cheers,
Rob

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/