On Wed, 28 Sep 2011, Ted Ts'o wrote:
On Wed, Sep 28, 2011 at 06:25:43PM -0400, Jeff King wrote:
[1] This is a minor nit, and probably not worth breaking away from the
way the rest of the world does it, but it is somewhat silly to sign the
compressed data. I couldn't care less about the exact bytes in the
compressed version; what I care about is the actual tar file. The
compression is just a transport.
The worry I have is that many users don't check the GPG checksum files
as it is. If they have to decompress the file, and then run gpg to
check the checksum, they might never get around to doing it.
That being said, I'm not sure I have a good solution. One is to ship
the file without using detached signatures, and ship a foo.tar.gz.gpg
file, and force them to use GPG to unwrap the file before it can be
unpacked. But users would yell and scream if we did that...
- Ted
Or you could just provide detached signatures for the compressed tarballs
like they have been doing for years at kernel.org (and many other sites).
If tarball.tar.bz2 has a detached signature tarball.tar.bz2.sig, just
download them both and:
gpg --verify tarball.tar.gz.sig
To argue that some people don't avail themselves of this feature is no
excuse for not providing it for those of us who consider it vital. The
break in at k.o is no excuse for dropping this very sensible policy which
has protected us for years. Just change the signing key and continue as
before.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html