Chris Laprise wrote: > It doesn't really exist either way, does it? A big reason why I'm > debating the thinking behind this is that its based on a low-quality > assessment done here: > > https://groups.google.com/d/msg/qubes-devel/TQr_QcXIVww/SHLNsoPgWTAJ > > That is the whole 'I don't trust GPG' rationale right there. My > takeaway from it could be that verbose mode gives me super-powers of > perception with hardly any effort ...or not.
I think this thread digressed too much. Note that the revived thread deals just with package verification. You are not dealing with full gpg files. Actually, I would expect the upstream package manager to use gpgv, not gpg, thus reducing the attack surface. Per the man page: > It is somewhat smaller than the fully-blown gpg and uses a different > (and simpler) way to check that the public keys used to make the > signature are > valid. and indeed on a cursory look, it is clear that it handles a only a limited subset of packets (PKT_SIGNATURE/PKT_ONEPASS_SIG, PKT_PLAINTEXT, PKT_COMPRESSED and PKT_GPG_CONTROL), although I agree it is still quite complex. :-( -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/1483989827.1209.30.camel%4016bits.net. For more options, visit https://groups.google.com/d/optout.
