[Catalog-sig] repository security concerns
Andrew Kuchling
akuchlin@mems-exchange.org
Mon, 11 Mar 2002 10:38:54 -0500
On Sun, Mar 10, 2002 at 02:42:48PM -0800, Kapil Thangavelu wrote:
>is there an easier way to try and insure end-to-end
>security or are there flaws in the above model? does
>it require too much of the developer? should the
>repository even be attempting to be secure?
It seems reasonable, and could be made fairly simple by just using
GnuPG to do the signature generation and checking. The Python code
could then check if GnuPG is installed, displaying an innocuous "Not
verifying signature" message if it's not, and checking the signature
if it is.
--amk (www.amk.ca)
Oh, my fingers! My arms! My legs! My everything! Argh...
-- The Doctor, in "Nightmare of Eden"