-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 No no, I'm not talking about importing raw RSA data or the such. I was just thinking: would it be useful (at least to someone) to support OpenPGP signature to "something" just like a project do (sometimes =P) feel useful to sign tarballs? And, if the anwser is positive, "what"?
My personal brainstorming: (some things partially true, some debatable, some plain false... that's the very idea of "brainstorming" afterall...) It could be useful because... a. it delegates the problem of trust to an existing web of trust b. many people know it already and feel confident in its signatures c. people could check the signature "manually" It could be used to sign... a. manifests, because they directly contain the hashes of every file contained in the project (and if you trust SHA1 you trust SHA1, and if you don't... then you can't use PGP web of trust anyway!) b. revisions, because they contain the hash of the manifest, are smaller, and the signature could even be stored in a cert In fact I think a "openpgp" cert containing the raw detached signature would probably be the best, and it could be done entirely with a small script or wrapper. The easiest way could be to directly but the "armor" in the cert, but that would be unnecessarily large and bulky... can a cert contain binary value? As a SQLite3 field I know it does, but as a command line parameter of "mtn cert" I guess it does not. Just to be fair: It would NOT be useful or be straight disruptive because: a. it instills the doubt that mtn own signatures are "less worthy" b. it adds much data but pretty much nothing, security-wise, in the DB c. the very idea of needing an external and existing trust is debatable - -- Lapo Luchini [EMAIL PROTECTED] (OpenPGP & X.509) www.lapo.it (Jabber, ICQ, MSN) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJFK+N5AAoJELBiMTth2oCDFzQQAJhOIoN5uJcw8Hv86dX3p2pF RL0KTloEE/QuuIwL2LfnM4nt/iELVlAJtpu6bXuuRB59fSjaBvXjCAFttk0XRmYC 4VieoiYn+/LSAvj87ADHm6vPnHqbPV6eC94O/1s/6Basya4xDbCrp1p87/2szRH9 3C0jfJvvDBtksI2iLEi1sg8+cphjKUFsRm7Ztfn5V19rs219isa95ZcfM2B22ihb HlBqtbGAbYCLBIxxSyotovNymJhYgn3JjYEPGx09ybzVD7ViJJYKfR6U1/T/gfzO eRBDNm9uIWPkAqsBLmZ+bLhecPI/Fb+A1DnquiwqHMS3q8+cK4f6CWLC1FMeAXjA XjwHMzFaddvpNhUc3GmecUxeL0YjXr2alzk3mT6vDUmCmJF3iS5T+KK9RB2pIu7P NnMqfzWvOzCAoh3kqc1eDvWfSWR0q/hVzbXethKuppD3z4ZUaP2NfL7E+kjSUdid CsnFcW3Qo9JAILzNv1qIqYyErVQwkACcobHnq9Yxy7k/2LhUuA0P+TGsvkvBoVU+ eCzk8R1AmH/aR0cFBrmLSj0GehXFJU+MhRKqiX0oOCywFtiMpaSZ4B881izS5Mbw UzBxkrrVIxuN0+Bzejskp9EZd28mBnD+0tUukcGc8Z5ervz4sVzhOs3fLTnuNZi7 LILDzxMonKKAmb4gGfUj =0V3U -----END PGP SIGNATURE----- _______________________________________________ Monotone-devel mailing list Monotone-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/monotone-devel