On 09.08.19 14:41, Petr Pisar wrote: > I thought you want to start using minisign because it's easier for code > signing and verification than GnuPG. But now you are talking about some > developers who don't know how to use OpenSSL library. I probably miss the > point. I am already using Minisign for my own release source tarballs. Using GnuPG (PGP) for signing/verifying software releases is a bad idea, as per the various links to blog posts of well known cryptography experts I included in previous mails. Also see my blog post about it [1]. If Minisign turns out to be a bad idea in x years I'll just switch to something else. As part of working on Minsigning my software, I thought it might benefit other Fedora/CentOS packagers and/or developers to have the option to use Minisign directly through Fedora/EPEL. That's why I packaged [2] Minisign and proposed adding a section to the packaging guidelines about using Minisign, next to PGP. Somehow I got tricked into discussing Red Hat's policy for crypto library inclusion in Red Hat Enterprise Linux. This is not really relevant for me as I am not a Red Hat employee. I do understand there are business/political/technical reasons why Red Hat may not adopt libsodium as part of RHEL, but those are not really relevant here for my contribution as they aim primarily at Fedora/EPEL. As libsodium is already part of Fedora and EPEL, whether or not to include libsodium in Fedora/EPEL is also no longer relevant... The only thing relevant at this moment is, I think, whether or not to include Minisign in the Fedora packaging guidelines next to PGP as an option to verify source tarballs for use by packagers when upstream signs their software using signify/Minisign. That's all that needs to be discussed. As stated before, I am willing to work on this. Cheers, François [1] https://www.tuxed.net/fkooman/blog/minisign.html [2] https://apps.fedoraproject.org/packages/minisign _______________________________________________ packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/packaging@xxxxxxxxxxxxxxxxxxxxxxx
