public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed
* RE: PGP signatures for packages?
@ 2002-05-17 20:19 Robert Collins
  2002-05-18  1:40 ` Michael Young
  0 siblings, 1 reply; 16+ messages in thread
From: Robert Collins @ 2002-05-17 20:19 UTC (permalink / raw)
  To: Michael Young, cygwin



> -----Original Message-----
> From: Michael Young [mailto:mwy-ltua@the-youngs.org] 
> Sent: Saturday, May 18, 2002 1:19 AM

 
> Would you be willing to provide the binary over HTTPS?
> It looks like Apache with mod_ssl is built for Cygwin.

This one I have no input on. Well I can voice an opinion, and that's
about that.

Here's my opinion: You won't gain anything significant by using SSL to
grab setup.exe. Setup.exe is already mirrored out to multiple sites. 

And adding GPG as a package should be easy. There is already vounteer
binary downloads 'out there'. You just need to merge tehir build recipe
and patchs and the volunteer maintainer instructions.

Rob

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread
* RE: PGP signatures for packages?
@ 2002-05-18 14:08 Robert Collins
  0 siblings, 0 replies; 16+ messages in thread
From: Robert Collins @ 2002-05-18 14:08 UTC (permalink / raw)
  To: Michael Young, cygwin



> -----Original Message-----
> From: Michael Young [mailto:mwy-ltua@the-youngs.org] 
> Sent: Saturday, May 18, 2002 1:35 PM
> To: Robert Collins; cygwin@cygwin.com
> Subject: Re: PGP signatures for packages?
> 
> 
> > And adding GPG as a package should be easy. There is 
> already vounteer 
> > binary downloads 'out there'. You just need to merge tehir build 
> > recipe and patchs and the volunteer maintainer instructions.
> 
> My understanding is that the official Windows binaries for 
> GnuPG are built on Linux using a cross-compiler.  I don't 
> suppose that's a legitimate approach for an official Cygwin 
> package, though, is it? I'll look at what it will take to do 
> a native configure/compile.

http://www.google.com/search?hl=en&ie=UTF8&oe=UTF8&q=GPG+cygwin
http://disastry.dhs.org/pgp/gpg.htm

Rob 

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread
* RE: PGP signatures for packages?
@ 2002-05-17  2:23 Robert Collins
  0 siblings, 0 replies; 16+ messages in thread
From: Robert Collins @ 2002-05-17  2:23 UTC (permalink / raw)
  To: Cliff Hones, cygwin



> -----Original Message-----
> From: Cliff Hones [mailto:cliff@aonix.co.uk] 
> Sent: Friday, May 17, 2002 5:28 PM
> To: cygwin@cygwin.com; Robert Collins
> Subject: Re: PGP signatures for packages?
> 
> 
> Robert Collins <robert.collins@itdomain.com.au> wrote:
> > ...
> > Until that is done, conversation on this is moot.
> > ...
> 
> 'moot' is one of those words which doesn't travel well.
> In UK English, it means "undecided" or "debatable", so a
> moot point is one which hasn't been settled, and is open
> to discussion.
> 
> I believe in common US English it means "out of order" - ie 
> closed to discussion (at least for the moment).
> 
> What a wonderful language we use.
> 
> What does it mean in Australian English, Robert?

I'm not sure. Both the US and UK meanings are relevant for my statement
though :}. I'll leave you to wonder whether that was intentional.

Rob

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread
* RE: PGP signatures for packages?
@ 2002-05-17  0:51 Robert Collins
  2002-05-17  2:19 ` Cliff Hones
  2002-05-17 10:25 ` Michael Young
  0 siblings, 2 replies; 16+ messages in thread
From: Robert Collins @ 2002-05-17  0:51 UTC (permalink / raw)
  To: Michael Young, cygwin



> -----Original Message-----
> From: Michael Young [mailto:mwy-ltua@the-youngs.org] 
> Sent: Friday, May 17, 2002 3:27 PM
> 

> So, how would the Cygwin team feel about GPG-signing just these
> two files?

I'm the setup.exe maintainer. Here's what I need before I will sign
setup.exe. (More on setup.ini later).

I need:
* A cygwin package, maintained by someone-that-is-not-me of GPG that is
compatible with my unix GPG (I know that should go without saying)
keyring.

That's it. But without that I will not sign setup.exe. Just like I
didn't compress it until UPX became a package :].

See http://www.cygwin.com/setup.html for information on contributing
GPG.

Until that is done, conversation on this is moot.

I would BTW, sign it with a separate file. There may also be
logicistical issues with upset getting the version number out of the upx
compressed fiel, but I think I have a solution to that that will work
for Chris.

As for setup.ini:

Signing of setup.ini is, IMO, meaningless at this point in time.
setup.ini, like the debian Packages or Releases or whatever the archive
is called, is a federated system. You can download from as many mirrors
as you like in one session, and setup provides a homogenous view of the
result. In short, an unsigned setup.ini can alter the data you see from
a signed setup.ini. Per-package signing would be the way to go. Also, as
setup.ini is dynamically generated, we would have a serious key
management issue in attempting to have setup.ini signed. Per package
signing allows the key management to be federated as well - to each
maintainer - and thus would not cause the same headache as signing
setup.ini.

Cheers,
Rob

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread
* RE: PGP signatures for packages?
@ 2002-05-17  0:16 Robert Collins
  0 siblings, 0 replies; 16+ messages in thread
From: Robert Collins @ 2002-05-17  0:16 UTC (permalink / raw)
  To: cygwin



> -----Original Message-----
> From: Christopher Faylor [mailto:cgf-cygwin@cygwin.com] 
> Sent: Friday, May 17, 2002 1:43 PM

> >I saw a note back in December
> >(http://sources.redhat.com/ml/cygwin/2001-12/msg00950.html)
> >that touched on this, but I couldn't find any followup.  Did this 
> >wither on the vine?
> 
> No.  It's actually part of the current setup.exe.

A minor errata: The HEAD cvs tag has it. The current setup.exe just
silently ignores the data from the ini file.
 
Rob

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread
* PGP signatures for packages?
@ 2002-05-16 21:44 Michael Young
  2002-05-16 22:30 ` Christopher Faylor
  2002-05-16 23:07 ` Charles Wilson
  0 siblings, 2 replies; 16+ messages in thread
From: Michael Young @ 2002-05-16 21:44 UTC (permalink / raw)
  To: cygwin

Are signatures available for the setup program, or for the packages it
downloads?
RPM uses GPG signatures, but I can't find anything comparable for the Cygwin
binaries.  Even just a list of hashes would be worthwhile (ideally vended from
a secure Cygwin/Redhat web page) to verify that a mirror (or download) hasn't
been corrupted.  Real PGP signatures would be better.  I can live without tool
support -- I can do the verifications manually, but only if I can find the
signatures :-).

I saw a note back in December
(http://sources.redhat.com/ml/cygwin/2001-12/msg00950.html)
that touched on this, but I couldn't find any followup.  Did this wither on the
vine?



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread

end of thread, other threads:[~2003-05-17 20:31 UTC | newest]

Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-05-17 20:19 PGP signatures for packages? Robert Collins
2002-05-18  1:40 ` Michael Young
2002-05-18  5:42   ` Charles Wilson
2002-05-18 12:53     ` Lapo Luchini
  -- strict thread matches above, loose matches on Subject: below --
2002-05-18 14:08 Robert Collins
2002-05-17  2:23 Robert Collins
2002-05-17  0:51 Robert Collins
2002-05-17  2:19 ` Cliff Hones
2002-05-17 10:30   ` Charles Wilson
2002-05-17 10:25 ` Michael Young
2002-05-17  0:16 Robert Collins
2002-05-16 21:44 Michael Young
2002-05-16 22:30 ` Christopher Faylor
2002-05-16 23:07 ` Charles Wilson
2002-05-17  0:28   ` Michael Young
2003-05-17 22:18   ` Lapo Luchini

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).