On Thu, May 26, 2011 at 6:34 PM, Grant Olson <k...@grant-olson.net> wrote: > On 5/26/11 5:56 PM, Evan Phoenix wrote: >> I apologize for the top posting, but the comment applies to the whole thing. >> >> Grant, one of the requirements for any signing strategy is that it can be >> implemented all in ruby, specifically with things provided by the ruby >> standard library. This by and large means OpenSSL. >> >> Could a PGP-style setup be fully implemented in ruby and hosted entirely by >> us (not require an pgp keyservers)? >> > > My philosophy was to dump as much of the real crypto to the existing > infrastructure as possible, so we don't need to worry about bone-headed > crypto mistakes in our code. But I see where you're coming from. > > The proof-of-concept code I have right now just shells out to gpg with > backticks and degrades gracefully if there's no gpg. There's no > verification, but you can still install the gem, and run rubygems > without any external dependencies. >
That doesn't defeats the purpose of actually having signed/certified gems? As for backticks: on Windows, there is no OpenPGP by default and Ruby works on Windows. It will be system where PGP is not installed at all. -- Luis Lavena AREA 17 - Perfection in design is achieved not when there is nothing more to add, but rather when there is nothing more to take away. Antoine de Saint-Exupéry _______________________________________________ Rubygems-developers mailing list http://rubyforge.org/projects/rubygems Rubygems-developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
