Ted Ts'o <tytso@xxxxxxx> writes: > On Wed, Sep 28, 2011 at 06:25:43PM -0400, Jeff King wrote: >> [1] This is a minor nit, and probably not worth breaking away from the >> way the rest of the world does it, but it is somewhat silly to sign the >> compressed data. I couldn't care less about the exact bytes in the >> compressed version; what I care about is the actual tar file. The >> compression is just a transport. > > The worry I have is that many users don't check the GPG checksum files > as it is. If they have to decompress the file, and then run gpg to > check the checksum, they might never get around to doing it. > > That being said, I'm not sure I have a good solution. One is to ship > the file without using detached signatures, and ship a foo.tar.gz.gpg > file, and force them to use GPG to unwrap the file before it can be > unpacked. But users would yell and scream if we did that... I suspect that letting GPG do the compression and shipping foo.tar.gpg would work just fine as well, and it is somewhat a tempting response to a _demand_ to sign materials we distribute. Of course, a nicer response to a _request_ would be to give a detached signature ;-) I understand that the automated GPG signature k.org used to use on the master machine was primarily to protect the copies that the mirrors serve from getting tampered after they leave the master machine. Do you happen to know what the new policy will be? Will the developers who distribute their snapshot tarballs from the site be GPG signing them themselves before uploading? That would improve the situation (I suspect that there were some people who misunderstood that these GPG signature were to protect against break-in at the master machine), but at the same time, it may create the chicken-and-egg bootstrapping problem if public keys of too many people need to be published securely. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html