See below. -- Evan Phoenix // [email protected]
On Thursday, May 26, 2011 at 3:34 PM, Grant Olson wrote: > On 5/26/11 5:56 PM, Evan Phoenix wrote: > > I apologize for the top posting, but the comment applies to the whole thing. > > > > Grant, one of the requirements for any signing strategy is that it can be > > implemented all in ruby, specifically with things provided by the ruby > > standard library. This by and large means OpenSSL. > > > > Could a PGP-style setup be fully implemented in ruby and hosted entirely by > > us (not require an pgp keyservers)? > > My philosophy was to dump as much of the real crypto to the existing > infrastructure as possible, so we don't need to worry about bone-headed > crypto mistakes in our code. But I see where you're coming from. > > The proof-of-concept code I have right now just shells out to gpg with > backticks and degrades gracefully if there's no gpg. There's no > verification, but you can still install the gem, and run rubygems > without any external dependencies. > > If the ruby standard library can deal with the public key signing (RSA > and DSA) and hash functions (SHA series, and possibly MD5, RIPEMD160) it > would be possible to write a full ruby implemenatation that can process > OpenPGP files, but that's a lot of work, and prone to errors. While it is going to be more work, it's the only solution that really makes any sense. We simply can't introduce pgp/gpg as a platform dependency. > > For the second part of the question, I'm not sure if you're asking if we > could run our own keyservers, or if we need to be able to verify > packages with the network unplugged. > > The keyserver code is open source, you could run your own keyservers > outside of the existing pools if you wanted to. Sure, that's what I mean. Rubygems shouldn't go down because keyservers are being worked on, we need to be masters of our own destiny. > > If you wanted to be able to verify gems without network access, you > could include official master signing keys (the public portion only) in > the rubygem distribution, as I talk about in the last section. The gem > maintainer could embed their full public key into the gem, including the > signature from the master key, in addition to the package signatures. > With this, you would have everything you need verify the package off-line. > > -- > Grant > > "I am gravely disappointed. Again you have made me unleash my dogs of war." > _______________________________________________ > Rubygems-developers mailing list > http://rubyforge.org/projects/rubygems > [email protected] (mailto:[email protected]) > http://rubyforge.org/mailman/listinfo/rubygems-developers _______________________________________________ Rubygems-developers mailing list http://rubyforge.org/projects/rubygems [email protected] http://rubyforge.org/mailman/listinfo/rubygems-developers
