> > > > Yes, this is a known - or not so well known - limitation. As the
> > > > signature check is basically done by hand it lack a lot of feature one
> > > > would expect of GPG proper.
> > >
> > >
> > > Can we (as an option) use a third-party library, such as
> > > [rpgp](/rpgp/rpgp)?
> >
> >
> > Rust is not acceptable due to its weak portability.
>
> Writing a full PGP packet parser in C is too risky, IMO. GPG itself had a
> buffer overflow not too long ago. We can always detect at compile-time if the
> Rust library is available, and fall back to the built-in parser if it is not.
The issue is that RPM has to work on _everything_. RPM is used on Linux,
Windows (!!!), OS/2 (!!!!!), AIX, IRIX, macOS, and so on. Several of these
platforms cannot use Rust or will never get Rust ports.
> That said, there are C libraries that we can use instead, such as the one
> used by Thunderbird.
I think good C libraries for GPG would actually be really helpful, since we
could use it throughout the RPM package management stack then. Relying on GnuPG
causes major issues, especially in containers and offline provisioning cases.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1306#issuecomment-751335604
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
