See below. -- Evan Phoenix // e...@fallingsnow.net
On Thursday, May 26, 2011 at 5:26 PM, Grant Olson wrote: > On Thu, May 26, 2011 at 7:15 PM, Evan Phoenix <e...@fallingsnow.net > (mailto:e...@fallingsnow.net)> wrote: > > > If the ruby standard library can deal with the public key signing (RSA > > > and DSA) and hash functions (SHA series, and possibly MD5, RIPEMD160) it > > > would be possible to write a full ruby implemenatation that can process > > > OpenPGP files, but that's a lot of work, and prone to errors. > > While it is going to be more work, it's the only solution that really > makes any sense. We simply can't introduce pgp/gpg as a platform dependency. > > Fair enough. I'll look into exactly how hairy this will be. > > But for now, let's go under the assumption that I write a plugin for > rubygems. Not part of the base system. This plugin allows you to sign > and verify gems, and does require a working gpg installation. Only > people who care about software verification install it and use it. And > then in the year 2013 or 2038 or whatever, there's a pure ruby version > of the back end crypto stuff and we merge the code with rubygems. You're free to write a rubygems plugin, of course. Avoiding monkey patching methods within rubygems though, since there is no promise those will continue to work. I can't promise anything about a merge unless we see the actual code. > > 1) Is the gpg requirement still a dealbreaker in this scenario? Yep, still a deal breaker, Sorry. No external dependency. > > 2) Does rubygems do any verification of the contents? Will a few extra > files in the main .tgz flag the gem as invalid? There is verification it parts, but I don't recall if it rejects .gem's with extra data in them. I suggest you give it a try and let us know though before you build a whole system. > > 3) Is there interest in a simulated CA at a site like rubygems, as > described in the original post? Do you mean X509 CA (I assume so)? In which case, yes, a rubygems/rubycentral CA is something that has been discussed. > > -- > Grant > _______________________________________________ > Rubygems-developers mailing list > http://rubyforge.org/projects/rubygems > Rubygems-developers@rubyforge.org (mailto:Rubygems-developers@rubyforge.org) > http://rubyforge.org/mailman/listinfo/rubygems-developers _______________________________________________ Rubygems-developers mailing list http://rubyforge.org/projects/rubygems Rubygems-developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
