Re: [RFC] gpg signed packages [Was: unofficial packages]

2002-09-26 Thread Nicholas Wourms
Do we have to make things so complex? Cheers, Nicholas

Re: [RFC] gpg signed packages [Was: unofficial packages]

2002-09-26 Thread Nicholas Wourms
Just my two pence worth ;) Trust me, there's plenty of time before this could go ahead. Setup.exe has core model changes needed to support it. I'd give two quid if setup.exe would compile properly with g++-3.2! Cheers, Nicholas

Re: [RFC] gpg signed packages [Was: unofficial packages]

2002-09-25 Thread Robert Collins
On Mon, 2002-09-23 at 21:54, Lapo Luchini wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I was thinking abut it (again)... but a little search avoided me a duplicate proposal... So I will answer to latest messages I can find about it, as I'm very interested in the thing. - From

Re: [RFC] gpg signed packages [Was: unofficial packages]

2002-09-25 Thread Lapo Luchini
Lets start with setup.exe: Should we embed a key in it? A: No. We should not embed a key in it, because that forces all packages to be signed by one and only one matching key. Or by any key that is directly (or indirectly) signed by that key... So, you say 'well, how do we get a list of

RE: [RFC] gpg signed packages [Was: unofficial packages]

2002-09-25 Thread Morrison, John
I think, if this key thing goes ahead, somebody is going to have to come up with a *very* detailed method of getting a key and signing things with regards to cygwin stuff. Making a package for cygwin _is_ not easy for people who grew up in windows. I'm sure it's put lot's of people off

Re: [RFC] gpg signed packages [Was: unofficial packages]

2002-09-25 Thread Robert Collins
On Wed, 2002-09-25 at 23:18, Lapo Luchini wrote: 2) cygwin has a implicitly trusted key, whose private key is used by CGF, Corinna, or any central cygwin trusted member I don't think we want an implicitly trusted key. We do need a central key of sorts, but that is different because the user

RE: [RFC] gpg signed packages [Was: unofficial packages]

2002-09-25 Thread Robert Collins
On Wed, 2002-09-25 at 23:36, Morrison, John wrote: I think, if this key thing goes ahead, somebody is going to have to come up with a *very* detailed method of getting a key and signing things with regards to cygwin stuff. Making a package for cygwin _is_ not easy for people who grew up in

Re: [RFC] gpg signed packages [Was: unofficial packages]

2002-09-25 Thread Lapo Luchini
I don't think we want an implicitly trusted key. We do need a central key of sorts, but that is different because the user must choose to trust it. I meant implicitly for cygwin people, not implicit for the final user =) I'm trying to avoid devaluing the web of trust, while still keeping what