On Mon, Jan 3, 2022 at 2:12 PM Ed Merks <ed.me...@gmail.com> wrote: > I've opened https://bugs.eclipse.org/bugs/show_bug.cgi?id=578024 to track > this issue. Minimally the help for the dialog should describe how to > find such external PGP services and in our case specifically how to verify > that this is an Eclipse project's key. We can discuss the details there. > I can try to help iron out the wrinkles... >
OK. So, for example, if I have the question "is it guaranteed that two > different org.bouncycastle.openpgp.PGPPublicKey instances might have the > same org.bouncycastle.openpgp.PGPPublicKey.getKeyID() values" that should > be a p2 Bugzilla? I wouldn't ask that on platform-dev but I would have > thought to ask on p2-dev rather than open a question Bugzilla. I see no > reason to assume that the getKeyID values are unique, though I suppose the > chances of collisions are vanishingly small (and downstream utility class > seem to assume this). > For question, p2-dev is probably the best place. For the particular question about keyIDs, they should not really be used in practice (see https://evil32.com/ ), instead, users should look at key fingerprints as what they'd expect as being the id. > I've opened https://bugs.eclipse.org/bugs/show_bug.cgi?id=578023 to track > this issue. > Thanks.
_______________________________________________ platform-dev mailing list platform-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/platform-dev
