On Sunday 12 April 2009, Daniel Carrera wrote: > Dan Pascu wrote: > > If integrity is all that matters a simple digest algorithm like > > md5/sha would be enough to validate if a patch was not altered. GPG > > is not necessary unless you also want to also do authentication. > > A simple hash would be a good step,
I may be wrong on this, but I'm under the impression that this can be done (if it's not already), as with the hashed format, the hash name used for patches and files is already correlated with the contents, so a simple integrity check is possible (if not already done as I said). > and personally I think that GPG is > too "heavy" for what the features I'm talking about. I do want to see > signed patches, but you can go for something much lighter than GPG. IMO, whatever you have in mind is too heavy for a user that doesn't care or doesn't need to verify identities by means of digital signatures. This is why I must reiterate my point, that while I think this can be a useful addition, I do not want to see it enforced on each and every repository by default. It must be a user choice, if to use it or not. -- Dan _______________________________________________ darcs-users mailing list [email protected] http://lists.osuosl.org/mailman/listinfo/darcs-users
