On Thu, May 26, 2011 at 7:15 PM, Evan Phoenix <[email protected]> wrote: >> If the ruby standard library can deal with the public key signing (RSA >> and DSA) and hash functions (SHA series, and possibly MD5, RIPEMD160) it >> would be possible to write a full ruby implemenatation that can process >> OpenPGP files, but that's a lot of work, and prone to errors. > While it is going to be more work, it's the only solution that really makes any sense. We simply can't introduce pgp/gpg as a platform dependency. >
Fair enough. I'll look into exactly how hairy this will be. But for now, let's go under the assumption that I write a plugin for rubygems. Not part of the base system. This plugin allows you to sign and verify gems, and does require a working gpg installation. Only people who care about software verification install it and use it. And then in the year 2013 or 2038 or whatever, there's a pure ruby version of the back end crypto stuff and we merge the code with rubygems. 1) Is the gpg requirement still a dealbreaker in this scenario? 2) Does rubygems do any verification of the contents? Will a few extra files in the main .tgz flag the gem as invalid? 3) Is there interest in a simulated CA at a site like rubygems, as described in the original post? -- Grant _______________________________________________ Rubygems-developers mailing list http://rubyforge.org/projects/rubygems [email protected] http://rubyforge.org/mailman/listinfo/rubygems-developers
