On 5/26/2011 6:38 PM, Luis Lavena wrote: > On Thu, May 26, 2011 at 6:34 PM, Grant Olson <k...@grant-olson.net> wrote: >> >> The proof-of-concept code I have right now just shells out to gpg with >> backticks and degrades gracefully if there's no gpg. There's no >> verification, but you can still install the gem, and run rubygems >> without any external dependencies. >> > > That doesn't defeats the purpose of actually having signed/certified gems? >
I don't think so. What percent of people who download any software or distro CD actually check the SHA hashes or gpg signatures? Not very many. But a small minority of security conscious people do. And if the security conscious people find a forged or invalid checksum/sig, the rest of the community will hear about it. > As for backticks: on Windows, there is no OpenPGP by default and Ruby > works on Windows. > > It will be system where PGP is not installed at all. > Yep, I've had to manually install SHA packages and OpenPGP on windows to verify software. People who weren't interested haven't, and everything still worked for them. It's the same thing with an optional flag to verify a gem's signature. But lets not get too hung up on this for now. See my email to Evan below. Let's assume we're starting off with an entirely optional not-part-of-the-standard-ruby-install plug-in, which requires a working gpg. -- Grant _______________________________________________ Rubygems-developers mailing list http://rubyforge.org/projects/rubygems Rubygems-developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
