> @nwalfield, merging certificates sounds like a relatively hard problem to
> solve in general.
Can you explain what you are thinking or worried about here? The
implementation to merge certificates in Sequoia [starts
here](https://gitlab.com/sequoia-pgp/sequoia/-/blob/9e48a064/openpgp/src/cert.rs#L2592).
We basically turn the two certificates into arrays of packets, and merge the
two arrays. Then we
[canonicalize](https://gitlab.com/sequoia-pgp/sequoia/-/blob/9e48a064/openpgp/src/cert.rs#L1519-2090)
the result, which reorders and dedups the packets. I admit it is a few lines
of code, but I think it is a stretch to say that it is a hard problem.
> Can you think of any use cases where this would cause a problem?
Yes. If the new certificate is missing some components that the existing
version has, signatures that could once be verified may no longer be verifiable.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2577#issuecomment-1646546531
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2577/1646546...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint