From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 8E855138334 for ; Mon, 19 Nov 2018 20:49:00 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 83854E08F3; Mon, 19 Nov 2018 20:48:55 +0000 (UTC) Received: from smarthost01a.mail.zen.net.uk (smarthost01a.mail.zen.net.uk [212.23.1.1]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3496DE08C9 for ; Mon, 19 Nov 2018 20:48:55 +0000 (UTC) Received: from [62.3.120.142] (helo=NeddySeagoon_Static) by smarthost01a.mail.zen.net.uk with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from ) id 1gOqTV-00039r-B7 for gentoo-dev@lists.gentoo.org; Mon, 19 Nov 2018 20:48:53 +0000 Date: Mon, 19 Nov 2018 20:48:37 +0000 From: Roy Bamford Subject: Re: [gentoo-dev] [pre-GLEP r1] Gentoo binary package container format To: gentoo-dev@lists.gentoo.org In-Reply-To: (from rich0@gentoo.org on Mon Nov 19 19:33:17 2018) X-Mailer: Balsa 2.5.3 Message-Id: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA256; protocol="application/pgp-signature"; boundary="=-DgeymU9YC+sTn0OoanZf" X-Originating-smarthost01a-IP: [62.3.120.142] Feedback-ID: 62.3.120.142 X-Archives-Salt: 8acdc768-94c6-4bd6-b864-edc37e39eb8b X-Archives-Hash: 53593165780e3b6d3e099650d46da383 --=-DgeymU9YC+sTn0OoanZf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2018.11.19 19:33, Rich Freeman wrote: > On Mon, Nov 19, 2018 at 2:21 PM Roy Bamford > wrote: > > > > "The archive members support optional OpenPGP signatures. > > The implementations must allow the user to specify whether OpenPGP > > signatures are to be expected in remotely fetched packages." > > > > Or can the user specify that only some elements need to be signed? > > > > Is it a problem if not all elements are signed with the same key? > > That could happen if one person makes a binpackage and someone > > else updates the metadata. > > >=20 > IMO this is going a bit into PM details for a GLEP that is about > container formats. >=20 Rich, Not really. The GLEP needs to be clear about the signing. Is it every element or none? The GLEP hints that a mix of is possible with =20 If the implementation needs to manipulate archive members, it must either create a new signature or discard the existing signature. An individual binpackage could start life with all elements signed by the same key. Some element could be updated and the key for the signature of=20 that element changed. Later still, another element can be changed an have its signature dropped. =20 Should some combinations have no practical value, they should not be permitted by the GLEP. > --=20 > Rich >=20 >=20 >=20 --=20 Regards, Roy Bamford (Neddyseagoon) a member of elections gentoo-ops forum-mods = --=-DgeymU9YC+sTn0OoanZf Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEsOrcx0gZrrCMwJzo/xJODTqpeT4FAlvzIaUACgkQ/xJODTqp eT60mQgAlL+0A62ySSFGDepBOOlFv9PHhdZQgkDoTVTCuejtUwArIko646coi7uq fLofzLXQOeknkeq+A1WpoDfqhqMTGaBQGCEqZwJ3lxc8UUm5hzmGRTItpjNjseR5 6fZQwM3PR4+GcTrprnOBUAUh/Kj+mOY2MO8p3tL6W4pvfZBtuFSTb/RinstpZpbB YhoMSluGSmXmq5JPgEt9KglfZgMDhrQ4NG1HSP97kcbdWztmNz1673BLqV2vpEvn LE5fR1zNip3IYfqvmDOMXBib89iS7JRXDu0dr1QkbO8kwh3HZJHUTu80F+mRB8FY 7jqoXxO1W6KYDDqQTjWLnzjCzAsf4A== =VZrB -----END PGP SIGNATURE----- --=-DgeymU9YC+sTn0OoanZf--