Re: [Arx-users] register-archive and signing

arx-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Arx-users] register-archive and signing

From:	Kevin Smith
Subject:	Re: [Arx-users] register-archive and signing
Date:	Tue, 07 Dec 2004 22:56:26 -0500

On Tue, 2004-12-07 at 22:38 -0500, Walter Landry wrote:
> Well, there is no way to create an alias right now.  If you mean just
> registering the archive with a different name, that definitely won't
> work.  

Oh. I'm already sick and tired of typing in your archive name and my
archive name, so I think an alias system will be mandatory at some
point. I added a bug for this.

> > If you specify both the name and location, then ArX will
> > not download any public keys.  In that case, the archive will be treated
> > as if it is not signed.
> > ---
> > 
> > So would that really disable signature checking? Is that just a
> > temporary state while you're working on the signing feature, or do you
> > envision it staying that way as a "feature"? 
> 
> Maybe not.  I was a little worried about requiring people to have yet
> another program (gpg) installed on their machine.  However, I can set
> it up so that the only real trouble people without gpg will have is
> that they will get lots of warnings when downloading stuff from signed
> archives.
> 
> However, it will mean that you can't register an archive unless you
> can connect to it.  Otherwise, you would not be able to get the public
> keys.  I don't know if that is really a problem, since I can't think
> of any reason to register an archive unless you want to see what it
> has.

My main concern was that the signed-ness of an archive should not be
determined implicitly. I guess I see now why it worked out that way, but
I would prefer that it somehow fail, rather than quietly turning off
signature checking.

I can imagine wanting to register an archive that is not currently
accessible, but I don't think that is a critical feature. I think it
would be reasonable to disable that ability, which would then solve my
concern. 

You could add an --unsigned option that would disable signature checking
for an archive. If sig-checking is expected to be the norm, then I would
like to see a check right then for gpg availability, and if it's not
there, force the user to say --unsigned. If sig-checking is expected to
be more of a side case, then you might automatically (with a warning)
disable sig-checking for any archive that was registered when gpg was
not available.

Just my thoughts.

Kevin

[Prev in Thread]

Current Thread

[Next in Thread]

[Arx-users] register-archive and signing, Kevin Smith, 2004/12/06
- Re: [Arx-users] register-archive and signing, Walter Landry, 2004/12/07
  - Re: [Arx-users] register-archive and signing, Kevin Smith <=
    - Re: [Arx-users] register-archive and signing, Walter Landry, 2004/12/08

Prev by Date: [Arx-users] My first patch (fix for --version and gpg)
Next by Date: Re: [Arx-users] Adding crypto to ArX
Previous by thread: Re: [Arx-users] register-archive and signing
Next by thread: Re: [Arx-users] register-archive and signing
Index(es):
- Date
- Thread